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                        THURSDAY, JULY 24, 2008

             U.S. House of Representatives,
                       Committee on Ways and Means,
                                    Subcommittee on Health,
                                                    Washington, DC.

    The Subcommittee met, pursuant to notice, at 10:05 a.m. in 
room 1100, Longworth House Office Building, Hon. Fortney Pete 
Stark (Chairman of the Subcommittee) presiding.
    [The advisory announcing the hearing follows:]

ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS

                         SUBCOMMITTEE ON HEALTH

                                                CONTACT: (202) 225-3943
FOR IMMEDIATE RELEASE
July 17, 2008
HL-28

    Hearing on Promoting the Adoption and Use of Health Information 
                               Technology

    House Ways and Means Health Subcommittee Chairman Pete Stark (D-CA) 
announced today that the Subcommittee on Health will hold a hearing on 
promoting health information technology. The hearing will take place at 
10:00 a.m. on Thursday, July 24, 2008, in the main committee hearing 
room, 1100 Longworth House Office Building.
      
    In view of the limited time available to hear witnesses, oral 
testimony at this hearing will be from invited witnesses only. However, 
any individual or organization not scheduled for an oral appearance may 
submit a written statement for consideration by the Committee and for 
inclusion in the printed record of the hearing.
      

BACKGROUND:

      
    Adoption and use of comprehensive, fully interoperable health 
information technology (IT) can be a critical tool in efforts to 
improve clinical outcomes and reduce costs in the health care system. 
The Congressional Budget Office said in a recent report, ``Health 
information technology has the potential to significantly increase the 
efficiency of the health care sector. . . . It could also improve the 
quality of health care and, ultimately, the outcomes of that care for 
patients.'' \1\ In purely financial terms, the RAND Corporation 
estimates that widespread adoption of health IT has the potential to 
reduce system-wide health care spending by up to $80 billion 
annually.\2\ At the same time, health IT could improve clinical 
outcomes by preventing medical errors, improving the practice of 
evidenced-based medicine, reducing disparities in the delivery of care, 
eliminating redundant tests and procedures, and generating data for 
health care research.
---------------------------------------------------------------------------
    \1\ http://www.cbo.gov/ftpdocs/91xx/doc9168/05-20-HealthIT.pdf.
    \2\ http://www.rand.org/pubs/monographs/2005/RAND_MG410.pdf.
---------------------------------------------------------------------------
      
    But these potential benefits come with a cost. Studies indicate 
that the total investment needed to achieve a nation-wide health IT 
network could be more than $100 billion.\3\
---------------------------------------------------------------------------
    \3\ Kaushal and others ``The Costs of a National Health Information 
Network'' Annals of Internal Medicine 2005. Walker and others ``The 
Value of Health Care Information Exchange'' Health Affairs 2005.
---------------------------------------------------------------------------
    Though the United States has consistently been a leader in the 
field of information technology, this country lags 5 to 15 years behind 
countries like Australia, Canada, Germany, Norway and Great Britain in 
terms of the dissemination and use of interoperable health IT 
systems.\4\ The time has come for the American health care system to 
get serious about fully utilizing this important tool.
---------------------------------------------------------------------------
    \4\ Anderson, Frogner, Johns and Reinhardt, ``Health Care Spending 
and Use of Information Technology in OECD Countries'' Health Affairs 
2006.
---------------------------------------------------------------------------
    Key issues to be discussed include: (1) the potential costs and 
benefits associated with the adoption of health IT, (2) options to 
ensure adoption through effective incentives, (3) ensuring that 
incentives are tied to systems that are fully interoperable and have 
necessary clinical capabilities, and 4) protecting patient privacy and 
the security of health information.
      
    In announcing the hearing Chairman Stark said, ``In many ways 
America has the most advanced health care system in the world. But the 
way medical records are stored and transferred in this country is right 
out of the 19th Century. If we create a system where an emergency 
doctor in St. Louis has instant access to the medical records of a 
patient who lives in Oakland, we will dramatically improve the quality 
of care while simultaneously reducing costs. It's a win-win situation. 
But the lack of progress to date shows the need for strong federal 
leadership and real investment in order to realize those benefits.''
      

FOCUS OF THE HEARING:

      
    The hearing will focus on options to encourage the adoption and use 
of a secure, clinically comprehensive, and fully interoperable health 
information technology system.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Please Note: Any person(s) and/or organization(s) wishing to submit 
for the hearing record must follow the appropriate link on the hearing 
page of the Committee website and complete the informational forms. 
From the Committee homepage, http://waysandmeans.house.gov, select 
``110th Congress'' from the menu entitled, ``Committee Hearings'' 
(http://waysandmeans.house.gov/Hearings.asp?congress=18). Select the 
hearing for which you would like to submit, and click on the link 
entitled, ``Click here to provide a submission for the record.'' Follow 
the online instructions, completing all informational forms and 
clicking ``submit''. Attach your submission as a Word or WordPerfect 
document, in compliance with the formatting requirements listed below, 
by close of business Thursday, August 7, 2008. Finally, please note 
that due to the change in House mail policy, the U.S. Capitol Police 
will refuse sealed-package deliveries to all House Office Buildings. 
For questions, or if you encounter technical problems, please call 
(202) 225-1721.
      

FORMATTING REQUIREMENTS:

      
    The Committee relies on electronic submissions for printing the 
official hearing record. As always, submissions will be included in the 
record according to the discretion of the Committee. The Committee will 
not alter the content of your submission, but we reserve the right to 
format it according to our guidelines. Any submission provided to the 
Committee by a witness, any supplementary materials submitted for the 
printed record, and any written comments in response to a request for 
written comments must conform to the guidelines listed below. Any 
submission or supplementary item not in compliance with these 
guidelines will not be printed, but will be maintained in the Committee 
files for review and use by the Committee.
      
    1. All submissions and supplementary materials must be provided in 
Word or WordPerfect format and MUST NOT exceed a total of 10 pages, 
including attachments. Witnesses and submitters are advised that the 
Committee relies on electronic submissions for printing the official 
hearing record.
      
    2. Copies of whole documents submitted as exhibit material will not 
be accepted for printing. Instead, exhibit material should be 
referenced and quoted or paraphrased. All exhibit material not meeting 
these specifications will be maintained in the Committee files for 
review and use by the Committee.
      
    3. All submissions must include a list of all clients, persons, 
and/or organizations on whose behalf the witness appears. A 
supplemental sheet must accompany each submission listing the name, 
company, address, telephone and fax numbers of each witness.

      
    Note: All Committee advisories and news releases are available on 
the World Wide Web at http://waysandmeans.house.gov.

      
    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
    Chairman STARK. If our guests could find a seat, then we will begin 
the hearing today to discuss the importance of electronic medical 
records, and the need to promote their adoption and use by the medical 
community.
    There is little doubt that the U.S. health care system is among the 
most advanced in the world, in terms of diagnosing and treating 
disease. But when it comes to medical records, we are stuck in the 19th 
century. This IT shortfall hampers our ability to provide the best care 
when people are ill.
    In my former life, as near as I can remember, when I was banker I 
helped to create the way financial information was stored and 
electronically transmitted for credit cards in this country. You can go 
to virtually any ATM in the country and instantly withdraw money or, as 
I do, get notice that I am overdrawn, and I can deposit money in a 
different bank, or see certain account information. This technology now 
allows me to receive and pay bills online. We still can't do the same 
with our medical records.
    I am not in the habit of using props, but one of the members of our 
staff gave me a copy of 2 years--this is a young man behind me--2 years 
of his medical records. This is it. It's over 500 pages, weighs 5 
pounds, and it cost more than $6 to ship it. Getting these records 
required our staff person to make several phone calls to his doctor, 
pay a medical records company $127 to copy and print it. Yet, this is 
the only way he could get his records from one physician to another, 
and because they're not stored electronically.
    As I say, that is--it's just a useful illustration of some of the 
problems that our medical providers face in trying to do that. I would 
hate to look and go back starting, I guess, in the Air Force, when I 
started getting medical records. I will bet mine are a couple of feet 
high.
    The widespread use of electronic medical records holds promise for 
increasing the quality of health care and bringing down costs. EMR's, 
electronic medical records, by themselves may have little impact on the 
cost. But they would allow us to proceed with comparative effectiveness 
research, put emphasis on disease management through primary care, and 
it has the potential to save our Nation's health care system billions--
perhaps hundreds of billions--of dollars.
    Despite its promise, we are years behind other countries in terms 
of getting doctors, hospitals, other providers to use modern 
technology. In Germany, they began an effort back in 1993. Canada 
started in 1997. Britain began its work in 2002. These countries have 
also invested billions of dollars in government funds toward developing 
their systems. By contrast, we are stuck in a rut.
    We guess that perhaps 10 to 20 percent of the physicians in this 
country have a meaningful electronic medical records system, and the 
adoption rates of hospitals is probably not much better than 20 or 30 
percent.
    It wasn't until 2004 that the Federal Government realized the need 
for leadership on this issue, when President Bush said that every 
American should have an electronic medical record by 2014. By executive 
order, he established an office within Health and Human Services to 
lead this effort.
    While the President and I happen to agree on this important issue--
and we don't agree on much--I would point out that Health and Human 
Services has moved rather slowly since the President's request. The 
Agency seems more concerned with the vendors and other entrenched 
interests than in getting the job done. The lack of progress to date is 
why we have called this hearing, and it is why we will introduce 
legislation designed to promote--and I want to underline promote--the 
adoption and use of electronic medical records while protecting patient 
privacy. I would just like to emphasize that.
    This should not be seen as an effort to slow down other commendable 
legislative efforts in this area. The opposite is true. Our bill would 
be designed to speed up the development of electronic medical record 
technology, covering three major points: to ensure that the Federal 
Government continues to promote development of a comprehensive, fully 
interoperable electronic medical records system; provide meaningful 
financial incentives through the Medicare Program that will, hopefully, 
overcome barriers to adoption; and take the necessary steps to protect 
the security and privacy of patient records, by giving individuals the 
right and ability to sue for damages when their records are breached.
    We can continue this discussion after we have heard the testimony. 
I would like to recognize Mr. Camp for comments that he would like to 
make.
    Mr. CAMP. Well, thank you very much, Mr. Chairman. I want to thank 
all the witnesses for being here.
    Paper-based records are an expensive, antiquated relic from the 
last century. Paper records harm patients, increase costs, and lead to 
lower quality care. For the 21st century, we need electronic health 
records.
    The question that needs to be answered is not whether we need to 
have better health information technology. We all know the answer to 
that is a resounding yes. The real and more difficult question is, how 
can we achieve that goal, and what role the Federal Government should 
play in getting physicians and hospitals to adopt health IT.
    Should Congress provide physicians and hospitals with Federal 
subsidies to speed adoption, or are there smarter approaches that we 
can pursue? Should the Federal Government pick which information system 
wins the standard sweepstakes, or should a public-private partnership 
establish an interoperability framework that vendors would have to 
meet?
    How can we ensure that patients' privacy is protected, while making 
sure that physicians have access to the medical data they need to make 
an informed decision?
    I have introduced a bill that attempts to strike a balance between 
these competing schools of thought. The Promoting Health Information 
Technology Act would establish a public-private entity to develop and 
recommend interoperability standards, would increase the business 
depreciation expense to facilitate adoption, and allow hospitals and 
group practices to provide needed software to physicians, and protect 
the HIPAA privacy standard, and commissions a study to determine 
whether extra protections might be needed.
    This approach will speed the adoption of workable electronic health 
records that will enable physicians and hospitals to provide better 
value to their patients. In addition, it will assist health care 
providers in avoiding unnecessary procedures, encouraging the timely 
utilization of preventative care, and empowering patients to take a 
more active role in their own health care.
    I think it is very important to hear what is happening in the 
private sector. Due to the weather last night, Douglas Reding, a 
physician from the Marshfield Clinic in Marshfield, Wisconsin, was 
unable to be here. He was going to be a part of the panel, and was 
going to testify on that important aspect. We have agreed that this 
testimony will become part of the record.
    Chairman STARK. Without objection.
    [The prepared statement of Mr. Reding follows:]

        Prepared Statement of Douglas J. Reding, MD, MPH, FACP,
        Vice President, Marshfield Clinic, Marshfield, Wisconsin

    This testimony is presented on behalf of the physicians and staff 
of Marshfield Clinic, who thank you for conducting this hearing on 
promoting the adoption and use of health information technology. We 
appreciate the opportunity to share our views regarding the potential 
for HIT to revolutionize health care and provide the necessary decision 
support to incorporate evidence based decision making into clinical 
care processes. We recognize that there is a large public and clinical 
education gap that must be bridged for Congress to begin to address the 
quality and financial challenges facing health care delivery. We 
appreciate the difficulty of the representational issues you must 
address.
    This document will summarize the following: (1) After nearly 40 
years of IT development work and expenses approximating three to four 
percent of its annual budget (currently at $950 million/year) 
Marshfield Clinic has completely converted to an electronic record 
format and is paperless in all of its 43 facilities. (2) Marshfield 
Clinic invested in the technology out of a conviction that the pace of 
scientific discovery, the pressure for increased productivity, and the 
intellectual demands of the practice of medicine vastly exceed any 
individual's capacity for the timely processing of all the pertinent 
clinical information about a patient, and the provision of state of the 
art care. To provide anything less would compromise patient safety and 
care. (3) While we see the expenses associated with the implementation 
of HIT as a necessary part of the cost of doing business, the federal 
Medicare practice expense formulas for reimbursing physicians for the 
cost of patient care have never adequately covered the cost of 
providing services to Medicare patients, especially those costs 
associated with HIT, and this has had a limiting impact on the 
proliferation of HIT throughout the medical community. (4) We have 
shown through participation in the CMS Physician Group Practice 
Demonstration that our electronic medical record and the associated 
databases empower our physicians and their staff to improve patient 
care outcomes and reduce costs to the Medicare program. (5) We 
recommend that Congress provide incentives for the utilization of HIT 
and care management systems that add value to patient care. At a 
minimum HIT must facilitate meeting the Institute of Medicine's aims 
for health care delivery assuring that care is safe, timely, efficient, 
effective, patient centric and equitable.
    Marshfield Clinic (the ``Clinic'') is the largest private group 
medical practice in Wisconsin and one of the largest in the United 
States. It is one of only a few large independent not-for-profit, tax-
exempt medical clinics in the United States. The Clinic is engaged in 
providing quality health care, health care education, and medical 
research. The Clinic owns and operates outpatient clinical, 
educational, and research facilities with its main clinical facilities 
and administrative offices located in Marshfield, Wisconsin. The Clinic 
currently employs more than 780 physicians and 6500 additional staff. 
The Clinic has 42 regional centers in addition to the Marshfield 
location and operates in 35 Wisconsin communities throughout Central, 
Western, and Northern Wisconsin, which is a predominantly rural area. 
Marshfield Clinic has developed and acquired sophisticated tools, 
technology, and other resources that complement and support the 
population health management mission and strategy of the Clinic. These 
include an electronic medical record, a data warehouse, an immunization 
registry, and an epidemiological database that enable enhanced 
definitions of disease states, diagnoses or conditions, and cost 
analysis of CPT level interventions. Marshfield Clinic's 43 regional 
centers are linked by common information systems. With this 
infrastructure, the Clinic is presently publicly reporting clinical 
outcomes, and providing physicians and staff quality improvement tools 
to analyze their clinical and business processes, eliminate waste and 
unnecessary redundancies, and improve consistency while simultaneously 
reducing unnecessary costs. The Clinic's largest facilities are 
adjacent to St. Joseph's Hospital of Marshfield, Inc., a 524 approved-
bed acute care and teaching hospital, which is owned and operated by 
Ministry Health Care, Inc., a tax-exempt organization, headquartered in 
Milwaukee, Wisconsin.
    We believe that health information technology has the potential to 
significantly increase clinical care efficiency by reducing costs and 
increasing value (defined as quality/cost) by enabling providers to 
manage information. To the extent that a provider can manage what he/
she can measure, HIT enables performance measurement and the 
improvement of patient care outcomes. In many, but not all avenues, 
improvement in patient care also leads to efficiencies and savings, 
primarily through reductions in hospitalizations, readmissions, and the 
utilization of intensive services.
    For this reason we believe that the Federal Government should 
stimulate the adoption, and utilization of HIT. As the Congressional 
Budget Office has recently shown, 85 percent of Medicare expenditures 
are concentrated among 25 percent of beneficiaries, and CMS has shown 
us that this population is predominantly individuals who have four or 
more chronic conditions. We recommend that Congress should initially 
subsidize the use of HIT through the Medicare program to promote rapid 
assimilation of the skill sets that are associated with the management 
of chronic disease. While the time factor associated with this cultural 
change in the practice of medicine may be protracted, ultimately it may 
be appropriate for the Federal Government to phase out the subsidies 
and impose penalties on providers who fail to achieve defined standards 
of professionalism in their utilization of health informatics 
resources.
    Marshfield Clinic has long used information systems to facilitate 
care process redesign for patients with chronic illnesses, and the 
organization expanded its efforts after becoming a participant in the 
Center for Medicare and Medicaid Services (CMS) Physician Group 
Practice (PGP) Demonstration project. As a result of these expanded 
efforts, Marshfield Clinic enhanced access to care, reduced 
hospitalizations and costs, and became one of two PGP sites (out of 10 
total) to earn a performance bonus from CMS in FY 2007. Results of the 
second year of the demonstration are forthcoming in the next few weeks, 
but we are embargoed under CMS' terms and conditions of the 
demonstration from discussing the results. Leave it to say that we are 
confident that care management works, and may be enhanced through HIT 
applications.

Description of the Marshfield Clinic electronic medical record

    Marshfield Clinic is unique in that is has developed its own 
electronic health records and ancillary reporting systems over the last 
thirty years. The system, called Cattails MD, was the first internally-
developed system to gain CCHIT certification last year, and has 
recently been made available for resale in the EHR marketplace.
    The clinic first implemented an EMR in 1985, and over time the 
practice has promoted adoption of the full functionality of the system. 
Since 2003, Marshfield Clinic has been deploying portable wireless 
tablet computers that led to a chartless medical environment by the end 
of 2007. All physicians and their support staff now use the tablet 
computers, which are linked to the Clinic's sophisticated electronic 
medical record. With wireless computers, providers can instantly access 
confidential medical history, radiology reports and images, test 
results and expert opinions. They can take notes, enter orders and 
write prescriptions electronically. Our physicians say that their 
practice is much more organized and efficient with the use of the 
tablet. It brings what previously was only available at our desktop 
into the exam room.
    Our physicians can track blood pressure readings and lab results on 
tablet computers and check which preventive screenings, such as 
mammography or colonoscopy, are due. They can show their patients 
diagrams or streaming video of procedures they may undergo.
    Storing, retrieving and updating paper charts is time-consuming and 
costly. Exam room access to electronic records enhances patient 
security, reduces errors and eliminates duplicate tests, all of which 
allows us to provide better care. We estimate that the elimination of 
pulling paper charts alone has resulted in a $7 million savings 
annually. Patient medical records are accessible to those who need to 
know throughout the Marshfield Clinic system, and will be available at 
the Clinic's affiliated hospitals.
    Providers can instantly print out patient educational materials 
rather than leaving the exam room to search for information. When a 
provider can take the time to educate patients about diseases, risk 
factors and recommendations to improve their health, patients are more 
likely to comply. The ability to quickly get information clearly 
improves the quality of the patient visit.
    Imagine your elderly mother has chest pain in the middle of the 
night. You bring her to the emergency department of your hospital. She 
can't remember the medications she takes. If she is a Marshfield Clinic 
patient her medical record is instantly available to the emergency room 
physician caring for her. Her medications, allergies, X-rays, 
electrocardiogram and notes from past medical exams are available 
electronically. The physician has instant access through a wireless 
computer tablet linked to Marshfield Clinic's sophisticated, integrated 
electronic medical record.
    If your mother needs additional diagnostic tests, referral to a 
Marshfield Clinic specialist, or a follow-up visit with her family 
physician, she has access to all of those services at our Regional 
Medical Centers. Details of her emergency room visit will be available 
immediately to all of the providers on campus and throughout the 
Marshfield Clinic System. This promotes communication about her 
condition, and minimizes the need to repeat studies.
    In order to assist with our quality performance, the Clinic 
developed a comprehensive package of initiatives that leverage the 
electronic technologies to redesign care for chronically ill patients, 
to identify improvement opportunities, collect needed information at 
the point of care, and report performance back to physicians.
    For example, our PreServ (Preventive Services) System is able to 
alert physicians when preventative services are due for a patient 
during a visit with a primary care manager. In PreServ, the EMR 
generates a preventive services (PRESERV) list on the dashboard of each 
electronic patient record. This box compares the patient's clinical 
profile with evidence-based clinical practice guidelines formed from a 
number of sources including the ADA and input from endocrinologists at 
Marshfield, and highlights (in red) gaps in care related to preventive 
services, immunizations, routine screening, and diabetes care needs; 
eventually, this functionality will be expanded to cover additional 
disease states. The system prompts the physician to provide or schedule 
needed preventive services during the patient visit. In contrast to 
disease-specific programs and care registries, this list allows 
physicians to proactively plan and coordinate needed preventive, 
screening, treatment, monitoring, and education across a spectrum of 
diseases for each individual patient.
    Our EMR also includes a system for flagging high-priority patients. 
A ``hierarchical defect recovery list,'' which acts as a safety net, 
includes high-risk patients with multiple chronic conditions that are 
in need of immediate attention. High-risk patients with serious gaps in 
care (e.g., diabetes patients who have not made appointments for annual 
eye and foot examinations and whose hemoglobin A1c level is above goal) 
appear at the top of the list; physicians and staff use this list to 
work with the patient to provide or schedule needed care immediately. 
When a diabetic patient visits a physician for example, he or she is 
notified of the need to conduct a foot exam. Physicians are then 
provided ``Clinical Storyboards'' showing their performance with 
selected quality measures such as foot exam compliance. Since starting 
to measure and report these key quality areas, we have seen increases 
in percentage of patients at goals, that are specified in public 
reporting and efforts such as the PGP Demo, for key areas such as 
hypertension, diabetes, congestive heart failure, and coronary artery 
disease.
    We have also implemented an anticoagulation care management system. 
All patients who take the drug, Warfarin, which is a high-risk 
medication with a narrow therapeutic threshold, are managed under a 
single set of protocols. Under this nurse-managed, physician-directed 
telephonic management program, nurses place outbound calls to patients 
to discuss their anticoagulation management and check on their general 
health. As needed, nurses adjust dosing based on written protocols and 
enter updates into the EMR.
    The Clinic has also implemented electronic prescribing to enhance 
safety. Physicians use tablet PCs for electronic prescribing, with 
prescriptions printed by computer, thus reducing the potential for 
medication errors.
    We have implemented a 24-hour nurse line. Patients have access to a 
24-hour telephone number staffed by nurses. Nurses listen to the 
patient's concerns, refer to the EMR for background data and care plan, 
offer advice, and triage patients for physician appointments using 
physician-approved guidelines. An automated e-mail system notifies 
physicians whose patients have called the nurseline and provides a 
hyperlink to the patient's medical record.
    The Clinic is also utilizing the system to facilitate ongoing 
quality improvement efforts including continuing medical education, 
online provision of care guidelines, feedback and education by quality 
improvement medical directors and clinical nurse specialists, and 
sharing of comparative data on performance and best practices. The EMR 
facilitates many of these efforts by allowing physicians to collect 
data on quality thereby providing timely, actionable feedback on 
individual performance.
    A key component of the CMS demonstration project was to show an 
overall decrease in cost in comparison to other regional healthcare 
providers. Marshfield Clinic was one of only two practices to 
accomplish this. One way we leveraged our information systems to help 
reduce costs and hospitalizations was to identify patients who are not 
well managed in one or more critical quality areas. To address this 
problem Marshfield Clinic developed a software tool called ``iList'' 
(Intervention List), which is used in primary care including Internal 
Medicine, Med-Peds and Family Practice departments. iList originates 
from the electronic medical record and provides a list by provider of 
patients who have one of three chronic illnesses--diabetes, heart 
failure or hypertension--and who do not meet all of their recommended 
health goals. iList is a tracking tool intended to help providers 
identify and reach out to patients who are overdue for services and are 
not meeting their quality of care goals. iList proactively assures that 
our patients get the care they need to try to help provide better 
control of their chronic medical conditions. Our physicians and their 
assistants use iList to be sure patients, especially those with 
diabetes, have lab work and follow-up visits when needed. In the past, 
patients might not have understood they needed to come in more 
frequently because they have diabetes. iList is a highly sophisticated 
reminder system, and can help physicians examine their practices 
realistically and take action to improve care where there may be gaps. 
Our physicians have found that using it has been an eye-opener as far 
as putting a face on those patients who could be slipping through the 
cracks. Physicians are typically trained to take care of an individual 
patient and are not typically trained in the management of populations 
of patients. Using tools such as iList have allowed us to improve our 
performance on the quality metrics reported and more importantly the 
health of our patients as evidenced by decreased hospitalizations in 
some chronic conditions. For Marshfield Clinic to be competitive on the 
basis of results, we need to know what our results are. This helps 
bring results to a patient level and lets us know where we stand on 
quality measures.
    iList is not a registry. Patients who are on target for their 
health goals do not appear on iList and it is not a registry of all of 
a provider's patients or a listing of all patients with a specific 
condition. Only patients who have not achieved a specific quality 
measure or who don't have a future appointment will show up at any 
given time, and once they meet their goals they are removed from the 
list. iList may be viewed as being a subset of a registry, which would 
include all of a provider's patient population. The patients listed on 
iList are patients not on target for their monitored quality health 
metrics.
    Provider-approved protocols make iList unique. Key to understanding 
iList's potential, and part of what makes it different from other 
Information Systems tools, is provider-approved protocols built to 
accompany the application. The step-by-step written protocols--derived 
from evidence-based medicine in the Marshfield Clinic guidelines for 
hypertension, heart failure and diabetes--delegate interventions and 
actions to be carried out by medical assistants and other support 
staff.
    The protocols may be used as part of a patient-specific plan of 
care from the patient's primary care provider. With protocols providing 
direction, support staff may review the list and initiate actions to 
help patients reach their goals. Per protocol, for example, support 
staff may call a diabetic patient to schedule an overdue fasting lipid 
panel or foot exam. This promotes a team-based approach in the patient 
care process.
    iList exclusions--Certain patients with chronic conditions may be 
excluded from the iList application by the provider for reasons such as 
advanced age, terminal illness or contraindications to the usual care. 
This ability allows the iList application to individualize care for 
patients while considering population based measures for quality.

Potential to track other conditions

    Development of iList was hastened due to Marshfield Clinic's 
participation in the Centers for Medicare and Medicaid Services (CMS) 
Physician Group Practice Demonstration project which began in 2004. In 
order to improve our performance in the demonstration, our providers 
wanted the ability to look more closely at overdue services for 
patients with the three chronic conditions previously mentioned.
    Implementation of iList may provide the opportunity to address the 
way care teams handle planned care workflows. Planned care visits allow 
for results to be available at the time of a patient's visit to allow 
direct immediate direction and changes to the patient's care plan. This 
immediacy decreases the need for repeat visits and decreases rework 
(letters, telephone calls for communication of results) and for the 
patient and the practice after the visit. iList makes it easier to 
provide support to practices to help plan care for patients. This tool 
takes a huge step in that direction.
    The Clinic has also developed additional reporting mechanisms to 
identify patients at risk of hospitalization (for example, congestive 
heart failure patients) who qualify to be added to the disease-
management program. Once a patient is identified through criteria-
driven data-mining, Care-Management staff review the patient's 
electronic chart and make a determination if the patient meets criteria 
to be added to the disease-management system. This system provides a 
worklist and documentation capabilities for the clinical staff to 
monitor at-risk patient populations, and escalate a patient's condition 
to a physician if required.
    While most of the groups participating in the CMS PGP program also 
have electronic medical record systems, Marshfield Clinic is unique in 
that it has developed its own systems and data warehouse. This has 
allowed the group to customize its software as required and react 
quickly to meet reporting needs. We went through the typical quality 
reporting progression: denial that the results are accurate, 
improvements to data collection, improvement in acceptance of the 
results, improvements in process and outcomes resulting in clinicians 
wanting more data, faster. Because we have developed our own systems 
and data warehouse, we are able to react quickly and fine-tune as 
required to continually improve our data accuracy and timeliness.
    Recently, Ministry Health Care, the predominant hospital provider 
in the Marshfield Clinic service area agreed to use CattailsMD, an 
electronic medical record software suite developed by Marshfield 
Clinic, in most of its hospitals and Ministry Medical Group.
    The agreement will create the largest patient database in 
Wisconsin. Under the agreement, more than 1,000 providers in the 
Marshfield Clinic system, at Ministry Medical Group and Ministry 
hospital locations, will share access to 2.5 million patient records.
    The implementation of Cattails within Ministry Health Care will 
take place over 3 to 5 years. CattailsMD, now used by more than 13,000 
healthcare providers, is the first provider-developed ambulatory 
electronic medical record to achieve Certification Commission for 
Healthcare Information Technology certification.
    With CattailsMD, caregivers will have immediate access to all 
patient medical information, including lab results and radiology 
images, over their computers--no matter where they are located. The 
electronic records provide care and security advantages over paper 
charts that must either be retrieved from a central storage area or be 
physically taken from one location to another within a healthcare 
system.
    As part of the CattailsMD implementation, Marshfield Clinic will 
provide planning, project management, training, and technical support 
to Ministry Health Care. From a technology standpoint, the CattailsMD 
system stood out because its physicians liked the tablet platform and 
had witnessed its success at one Ministry health clinic. Physicians 
like the CattailsMD system because it's delivered as a service where 
Marshfield Clinic hosts the data and manages the applications.
    Marshfield Clinic has a very mature data warehouse infrastructure 
and a world-class bioinformatics research group. Some organizations 
have gone through very expensive and time-consuming EMR implementation 
efforts, but when they were done, they still had nothing in terms of 
data warehousing and the tools they need to manage clinical outcomes. 
Ministry's goal was to be proactive and take advantage of the benefits 
evident in the EHR as seen in the Marshfield Clinic system of care. 
Rather than wait for the patient to show up in the examination room, 
with CattailsMD their providers will be able to see which diabetic 
patients, for example, are overdue for their eye or foot exam 
screenings.
    Diabetes mellitus is a rapidly increasing and costly public health 
problem. Large studies are needed to understand the complex gene-
environment interactions that lead to diabetes and its complications. 
The Marshfield Clinic Personalized Medicine Research Project (PMRP) 
represents one of the largest population-based DNA biobanks in the 
United States. As part of an effort to begin phenotyping common 
diseases within the PMRP, we have reported on the construction of a 
diabetes case-finding algorithm using electronic medical record data 
from adult subjects aged 50 years living in one of the target PMRP ZIP 
codes. Based upon diabetic diagnostic codes alone, Clinic scientists 
observed a false positive case rate ranging from 3.0% (in subjects with 
the highest glycosylated hemoglobin values) to 44.4% (in subjects with 
the lowest glycosylated hemoglobin values). They developed an improved 
case finding algorithm that utilizes diabetic diagnostic codes in 
combination with clinical laboratory data and medication history. This 
algorithm yielded an estimated prevalence of 24.2% for diabetes 
mellitus in adult subjects aged 50 years.
    Marshfield Clinic has also embarked on a novel project to match 
genetic information from Alzheimer's patients with environmental 
factors that may contribute to the disease. The 2-year project is the 
first to tap the more than 18,000 DNA samples Marshfield Clinic has 
gathered for its Personalized Medicine Research Project, one of the 
nation's largest bio-banking efforts. Capitalizing on Marshfield's 
extensive database of electronic medical records, the project aims to 
develop a set of genetic markers that would allow doctors to screen a 
person early in life to determine their risk for the disease.
    The study will focus on four specific genes and their connection to 
the disease. In addition to the patient's DNA, we have a complete 
medical record. We know the medications they have been taking and what 
diseases they have been diagnosed for. We have also some environmental 
factors. Consequently we can perform genetic analysis and look at genes 
and the DNA with the phenotypes we have. No other projects to date has 
made that critical phenotype-genotype link that is the subject of this 
Alzheimer's project within the Marshfield Clinic Personalized Medicine 
Research Project. The study is focusing on patients who are at least 
70. Researchers will study 150 people who have Alzheimer's disease and 
about 300 people who do not. They will be re-contacting people they 
believe do not have Alzheimer's to confirm that, doing what are called 
mini mental exams, basically short lists of questions that are commonly 
used in clinical settings to confirm that the person truly does not 
have the disease. The project will also include a study of statins, 
which are one of the most commonly used medications to lower 
cholesterol and may actually protect a person from developing 
Alzheimer's. The project also will study the effects of smoking on the 
brain.

Protecting Privacy and the Security of Health Information

    Marshfield Clinic has long been a proponent of HIT implementation, 
and federal policy reforms that would enable broad proliferation of an 
IT infrastructure necessary to sustain and improve the quality of 
health care services. The Clinic's electronic medical record is an 
essential tool for patient care that our physicians and care providers 
have utilized in the CMS Physician Group Practice Demonstration to 
identify sick and chronically ill patients and assure that they receive 
necessary primary and preventive services in a timely manner to avoid 
intensive specialty procedures and hospitalizations. We strongly 
recommend that Congress provide incentives for the utilization of HIT 
and care management systems that add value to patient care. We urge you 
to structure incentives in the Medicare program to hasten the objective 
of broad proliferation of HIT throughout the medical community. We have 
concerns, however, about proposed legislation that would change the 
current Health Insurance Portability and Accountability Act (HIPAA) 
Privacy and Security Rules that strike a necessary balance between 
protecting the privacy and sanctity of a patient's medical information 
and ensuring that necessary information is available for vital health 
care functions.
    On many levels we believe that H.R. 6357, the ``Protecting Records, 
Optimizing Treatment and Easing Communications through Health Care 
Technology Act of 2008'' is important legislation that offers 
incremental improvements to the policy landscape regarding the 
promotion of Health Information Technology and the protection of 
patient's personal health information. We have concerns, however, about 
several provisions of the legislation. We are concerned that this bill 
will increase the costs of providing health care and the cost of 
implementing electronic medical records without any measurement of the 
problem it is trying to solve.
    H.R. 6357 codifies ONCHIT, provides grants and loans for HIT, but 
most importantly the bill creates new privacy and security provisions 
which require notification of breaches of PHI by covered entities and 
business associates. The bill also includes restrictions on certain 
disclosures of PHI allowing patients to request that their information 
not be released to health plans in certain circumstances.
    Currently the HIPAA Privacy Rule permits providers and health plans 
that receive protected health information from a patient to share that 
patient's information with other providers/health plans for treatment 
purposes without the patient's authorization. In addition, covered 
entities can share with others the minimum amount of such information 
necessary for payment and for the entity's operations, such as quality 
improvement activities. Beyond that, authorization from a patient must 
be secured before sharing the patient's information. The Privacy Rule 
requires that health care providers and health plans use the minimum 
necessary amount of personal health information to treat patients and 
pay for care by relying on patients' ``implied consent'' for treatment, 
payment of claims, and other essential healthcare operations. This 
model has served patients well by ensuring quick and appropriate access 
to medical care, especially in emergency situations where the patient 
may be unable to give written consent. For all other types of uses and 
disclosures, including for marketing purposes, covered entities must 
obtain prior written consent.
    The PROTECHT Act requires covered entities to make a reasonable 
effort to restrict the use, disclosure, or request of PHI to a 
``limited data set'' of information as defined in regulation. If the 
limited data set is insufficient, the covered entity must restrict the 
use, disclosure, or request of PHI to the minimum necessary to achieve 
the purpose. The PROTECHT Act encourages the use of ``the limited data 
set,'' which strips identifiers such as the name, medical record 
numbers, images, biometric identifiers and social security number of 
the patient. It also includes a new consent provision that requires 
additional patient consent if the PHI is utilized in operations, such 
as peer review, quality review, standard of care review, malpractice 
review, or best practices analysis.
    The requirements for a ``limited data set'' could be particularly 
onerous because it is impossible to know in advance what information is 
needed for most services. The ``minimum necessary to achieve the 
purpose'' makes it cumbersome to evaluate unexpected findings that were 
not anticipated. The question arises: Who will make this determination 
and at what cost? Consultations could become 20% opinions rather than 
second opinions based on a keyhole view of the potentially relevant 
data. The size of the keyhole will be limited by the imagination of the 
sender and will likely force duplication of effort by the receiver. The 
requirement to track releases between covered entities could inhibit 
the willingness of entities without advanced computer systems to share 
patient information. It is in the nature of free text that any given 
note will be a mixture of information, some relevant and some not; and 
the same could be said of many laboratory tests. Should we be required 
to black out items that someone doesn't think are useful? Who will 
provide this censorship service? Are we to make separate requests for 
information for different specialists seeing the same patient? Will 
this curtail the use of shared electronic medical records among 
entities?
    We are also concerned about additional patient consent if the PHI 
is utilized in health care operations, such as utilization review or 
best practices analysis. This will be an obstacle for quality 
improvement. Although the bill may be referring to ``outside'' review, 
the problem with ``outside'' is intractable, because almost all of our 
patients are hospitalized ``outside'' of the Marshfield Clinic at the 
hospitals where our physicians have admitting privileges. This will 
complicate collaborative efforts between the Clinic and the hospitals 
for quality improvement.
    Section 312: This section would prohibit the Clinic from sharing 
PHI about a specific service with a patient's insurance company, if a 
patient elected to pay cash and not submit the service for payment by 
the insurance company. This may be difficult in an electronic medical 
record setting as the bill would require that medical records be 
segregated so that medical records for cash services are never sent to 
or viewed by the insurance company. At Marshfield Clinic, patient 
medical records are often sent electronically to third party payors and 
at times, payors may be granted electronic access to certain patient 
medical records as necessary to process claims. If H.R. 6357 were 
enacted, we would have to institute additional processes to segregate 
electronic medical records for services that are billable to the 
insurance company and those that the patient elects to pay cash for so 
that certain records are neither sent to the insurance company whether 
electronically or via paper. The Clinic will also need to ensure that 
the insurance company is never given electronic access to the 
electronic medical records for such health care that was not reimbursed 
by the insurance company. This may also negatively impact a health 
plan's ability to monitor the health of its enrollees and to offer 
preventive care services, as there will be gaps in data that is 
provided to the insurance company about health care that has been 
provided to their enrollees.
    Requiring an accounting of disclosures for all disclosures of PHI, 
including for treatment, payment, and healthcare operations will be 
difficult. We currently do not log all these disclosures and it would 
be difficult to capture all since many times records are released 
directly by providers for treatment purposes, the billing office for 
payment etc. These disclosures are not logged or accounted for--as the 
law does not currently require this. In order to log all these 
disclosures, it is likely that any and all requests for PHI would have 
to be handled by our Health Information Management department and our 
release of info staff. This requirement could add 10-30% to the cost of 
implementing a robust EMR.
    Requiring patient consent before a disclosure can be made for 
health care operations in an electronic medical record would likely 
require that each patient whose PHI is in the EMR sign such a release 
in advance. Each of health care providers who participate in the 
Clinic's shared electronic medical record have access to all the PHI 
contained in the electronic record, therefore they can use the PHI as 
necessary for treatment, payment, healthcare operations without 
notifying the other providers whose medical records are being accessed 
in the shared EMR. So long as there is a shared patient relationship, 
such access is currently permissible under HIPAA without the patient's 
authorization. In addition, the Clinic routinely uses its own medical 
records for healthcare operations such as quality review, peer review, 
malpractice claims handling, risk management, etc. It would be 
burdensome to obtain patient authorization each time their record was 
accessed for such purposes. Many patients would object and thus the 
records could not be used for these important health care purposes.
    The proposed HIPAA privacy rule was first published on November 3, 
1999. During the rulemaking process, the proper role for consent was 
carefully debated and considered. After drawing more than 50,000 
comments from interested parties, the modified final version of the 
privacy rule was published August 14, 2002. During this time, requiring 
providers to obtain consent to use and disclose protected health 
information for treatment, payment and health care operations 
specifically was rejected based on the comments that HHS received. The 
``most troubling'' and prevalent concern, based on their assessment, 
was that ``health care providers would not have been able to use or 
disclose protected health information . . . prior to their initial 
face-to-face contact with the patient, something which is routinely 
done today to provide patients with timely access to quality health 
care.''
    What is considered a ``health care operation'' under the HIPAA 
Privacy Rule?
    As defined by the privacy rule, health care operations includes the 
following activities:

          Conducting quality assessment and improvement 
        activities, including: outcomes evaluation and the development 
        of clinical guidelines; population-based activities to improve 
        health or reduce costs, such as infection surveillance or 
        sentinel event root cause analysis; participation in quality 
        reporting, such as to Joint Commission or the Reporting 
        Hospital Quality Data for Annual Payment Update (RHQDAPU) 
        initiative; protocol development; case management and care 
        coordination; contacting providers and patients with 
        information regarding treatment alternatives;
          Reviewing competence of health care professionals, 
        including: practitioner and health plan performance evaluation; 
        training programs for health and non-health care professionals; 
        accreditation, certification, or licensing.
          Conducting or arranging for medical review or 
        auditing functions such as fraud and abuse detection and HIPAA 
        compliance programs.
          Business management and general administration, 
        including: formulary development and administration; 
        development or improvement of methods of payment or coverage 
        policies; customer service activities; creating de-identified 
        health information for purposes of research.

    In order to achieve the potential benefits of health information 
technology (HIT), providers and other entities must be able to use it 
as a tool to improve the quality and efficiency of health care 
delivery. For example, greater adoption of HIT could improve the 
management of chronic disease through better coordination of care and 
the development of best practices. However, generating the processes 
and protocols to make this a reality will require providers to conduct 
activities, such as analyses of data collected via HIT, considered 
health care operations under the Rule. Requiring consent for these 
types of essential activities would severely hinder these types of 
crucial functions needed to reap the much-touted advantages of HIT.
    For other types of uses, such as for population-based activities 
aimed at outcomes improvement or participation in quality reporting 
programs, requiring consent would prevent entities from securing the 
needed-threshold for meaningful success. For example, creating de-
identified or limited data sets for the purposes of research requires 
that the population on which it is based meet critical parameters that 
could be difficult to meet if it omits certain categories of patients. 
In the most serious instances, providers could be penalized 
significantly for failing to obtain affirmative consent for some types 
of operations. For instance, hospitals that could not obtain consent to 
use patient information for the purpose of reporting on quality 
measures for participation in the RHQDAPU initiative would receive a 
reduction of two percentage points in their Medicare annual payment 
update.
    For these reasons, even proposed provisions that would require only 
a one-time or ``blanket'' consent for uses or disclosures of 
information for health care operations, would become unworkable in 
practice. A failure to obtain consent from even a fraction of a given 
population would preclude providers and other covered entities from 
conducting essential quality improvement and research functions. 
Likewise, provisions that would allow an individual to retract consent 
would impose an additional layer of burden by requiring covered 
entities to track information that was previously used or disclosed and 
retroactively remove the effects of various transmissions.

Summary

    It is extremely important that legislation focused on the adoption 
and use of safe and secure electronic health information systems be 
adopted as soon as possible, as such systems will be the foundation for 
essential improvements in quality and access to care, movement in the 
direction of evidence-based medicine, expanded access, and value-based 
purchasing. A robust HIT system enhances physicians' ability to take 
care of populations of patients without losing sight of the individual 
needs of patients. It is important, however, to keep in mind that 
change in a culture of autonomy takes time. The use of an electronic 
health record is necessary but not sufficient to affect change.
    There is no question that HIT is expensive, and perhaps cost-
prohibitive. Physicians and providers are expected to pay for it, 
funding and maintaining the infrastructure of systems that utilize 
population-based information to improve patient health. There is a very 
small return on the investment in HIT to the physician, which is a 
return in efficiency and time. The significant benefits accrue to the 
patient and the payor, whether it be employers or the government. If 
Congress mandates changes such as imposing restrictions on the 
utilization of patient information for operations as proposed in H.R. 
6357, we estimate that the cost of HIT will increase dramatically, 
undermining the return on investment that should accrue to patients and 
payors.
    We would like to acknowledge the contribution that Dr. Peter Orszag 
and the Congressional Budget Office have made in calling attention to 
the research in variations in treatment and outcomes conducted at the 
Dartmouth Medical School under the guidance of Drs. Jack Wennberg and 
Elliott Fisher. Considering the rapid expansion of new medical 
knowledge occurring today, it might be reasonable to expect this 
continuing variability in care. The accelerating growth in new medical 
knowledge, coupled with the birth of new sciences, such as genomics and 
personalized medicine, suggests that physicians, nurses, and other 
health care professionals will invariably continue to fall further and 
further behind in their ability to keep up with the latest discoveries 
and approved treatments. As information technology has sparked this 
explosive growth in knowledge, only information technology can provide 
an adequate response. By using evidence-based knowledge embedded in 
clinical decision support deployed within a well-designed workflow, 
physicians can manage the ever changing and growing knowledge base 
critical to the delivery of effective and efficient healthcare.
    Health IT on a broad basis is still in its infancy. Health care 
organizations have not developed IT to its full potential. Current 
costs may seem too high for what we are getting in return. Looking at 
what our costs today are is not the point. Start up costs will always 
be high. Looking to what can be achieved in the future due to 
implementation of these systems should be our focus.

                                 

    Mr. CAMP. With the debate over health IT moving forward, 
there has been considerable attention placed on privacy and 
security. I agree that we must consider these important issues, 
and we must be cautious, however, that in a desire to complete 
an HIT bill, any HIT bill, that we do not limit the ability of 
health care workers and facilities to actually provide the 
proper health care.
    Congress must encourage providers to make this 
transformation, not over-burden them with a new, unworkable set 
of regulations. At the risk of taking a well-known phrase, the 
remedy cannot be worse than the disease.
    Earlier this week I read that the Chairman hopes to 
introduce a health IT bill in coming weeks. I sincerely hope 
that the Chairman will accept my offer to work in a bipartisan 
manner, just as the Energy and Commerce Committee is doing on 
health IT legislation. It is an important issue. With that, I 
yield back the balance of my time.
    Chairman STARK. Thank you, Mr. Camp. At this point, we will 
proceed with our panel. It will be led off by Dr. Peter Orszag, 
who is the director of the Congressional Budget Office, with 
whom we constantly battle over numbers and procedures.
    I warn the rest of the witnesses, he used electronic 
prescribing to get a gallon's worth of high-test caffeine in 
front of him instead of water, so he should be ready to really 
zero in on us.
    I am going to ask Dr. Yul Ejnes, who is the Chairman of the 
medical services Committee of the American College of 
Physicians; Ms. Deven McGraw, who is the director of the Health 
Privacy Project at the Center for Democracy and Technology; Dr. 
Matthew King, who is the chief medical officer at Clinica 
Adelante, Incorporated, of Surprise, Arizona; Mr. LeRoy Jones, 
of GSI Health of Philadelphia, Pennsylvania; and Mr. David 
Whitlinger, director of healthcare device standards and 
interoperability at the Intel Corporation will lead off, and 
ask each of the witnesses to summarize or expand on their 
written testimony in any manner that they are comfortable. Then 
we will let the panel expand through questions.
    Dr. Orszag, would you like to lead off?
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    Mr. ORSZAG. Mr. Stark, Mr. Camp, Members of the Committee, 
I guess I will hope to escape this battle without too much 
carnage, with the defense of my caffeine. But let me try to 
focus in on what I consider to be the largest inefficiency in 
the economy, which is our health care system.
    Credible estimates suggest that as much as $700 billion a 
year in health care services are delivered that do not improve 
health outcomes. That is 5 percent of GDP, 30 percent of what 
we spend on health care, $700 billion. That number comes from a 
variety of calculations, including the very substantial 
variation that we see across the United States in the intensity 
of services provided without any corresponding benefit, in 
terms of the quality or outcomes that result from the higher 
spending regions.
    It is striking, for example, that among Medicare 
beneficiaries in the last six months of life who are treated at 
UCLA Medical Center, the average cost is roughly $50,000 a 
year. Among those beneficiaries in the last 6 months of life 
who are treated at the Mayo Clinic, the average cost is about 
$26,000 a year.
    I cannot tell you--and I don't believe that there is a 
person in this country who can tell you--what we are getting in 
exchange for the extra money at UCLA Medical Center. So, why is 
this happening?
    I think there are a variety of explanations. But technology 
and incentives are among the most important. Let's start with 
incentives. We have incentives for more care, rather than 
better care. Guess what? We wind up with more care. But in 
order to alter that system of incentives, we need to know what 
better care is. That brings me to the second point, which is 
that we need more information on what works and what doesn't, 
specifically at the clinical level. That will require a very 
much expanded set of health information technology.
    So, one can think of health information technology as the 
foundation or the gateway to capturing that $700 billion 
opportunity. It will not be sufficient by itself, but it is 
necessary to put in place a more universal system of health 
information technology in order to capture the opportunities 
that we have before us. I would emphasize I think this is, by 
far, not even close, the most important fiscal question that we 
face: improving the efficiency of the nation's health system.
    So, how do we do that? There are a variety of approaches, 
and I am going to leave to my fellow panelists the important 
questions surrounding privacy, security, interoperability, and 
just focus in on, assuming that we can come up with acceptable 
answers to those questions, how do we spur adoption? Because as 
you have already noted, only 10 to 20 percent of providers have 
such systems.
    Basically, there is either the carrot or the stick. The 
carrot could take the form of a bonus or a tax incentive for 
adoption. That can help to increase adoption among providers. 
But, typically, policy makers want to limit the budget costs 
involved, and typically, the subsidy is, therefore, pretty 
small. What you are, therefore, doing, is only affecting those 
entities that were close to adopting voluntarily.
    So, a provider or a doctor or a hospital will look at the 
cost of putting in the system, and then the benefits to the 
doctor or the hospital, and adopt if they think it's 
beneficial, and not, if not. What you're doing is only pushing 
over the line those folks who were close anyway, with a modest 
subsidy. Plus, you're buying out the base, or providing a 
subsidy to all the entities that would have adopted anyway.
    So, in general, a subsidy approach, unless you're going to 
spend lots and lots of money, is not going to affect that many 
people, and it's not that cost effective, because you're going 
to be buying out some people who would have done it anyway.
    The alternative is a stick. The stick would take the form 
of the Federal Government saying you have three or four--some 
years, or some period of time to adopt a health IT system that 
meets the following standards, or meets the standards set by a 
public-private partnership. If you have not done so, you would 
not be reimbursed under Medicare or Medicaid.
    I will say, very bluntly, that if we want to get to 
universal or nearly universal health IT in the very near term 
at reasonable budget cost, I do not see an alternative to the 
stick. One can combine these two approaches, like you did in 
the prescribing piece of the legislation that you've recently 
adopted, and provided a subsidy for some period of time, and 
then a penalty thereafter.
    I will note that CBO did score a $2 billion savings to the 
e-prescribing provision in the recent Medicare legislation, 
both because we assumed, or we projected that it would lead to 
increased take-up of generic drugs, but also because there 
would be some penalties imposed, the point being that, if done 
right, and done in the right structure, health IT can save 
money.
    On a broader basis, I would just say again, coming back to 
the main point, it's necessary but not sufficient. You also 
need changes in incentives and comparative effectiveness. But 
it is a foundation, and the gateway or the key to capturing 
that $700 billion opportunity, and we could get there with a 
combination of carrots and sticks. Thank you very much.
    [The prepared statement of Mr. Orszag follows:]

                 Prepared Statement of Peter R. Orszag,
              Ph.D., Director, Congressional Budget Office
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    Chairman STARK. Thank you.
    Dr. Ejnes.

  STATEMENT OF YUL D. EJNES, M.D., CHAIRMAN, MEDICAL SERVICES 
           COMMITTEE, AMERICAN COLLEGE OF PHYSICIANS

    Dr. EJNES. Thank you, Chairman Stark and Ranking Member 
Camp. My name is Yul Ejnes, M.D. FACP. I serve on the American 
College of Physicians Board of Regents. I am a general 
internist in private practice in Cranston, Rhode Island, and I 
am also a Member of the medical faculty at Brown University.
    Representing 126,000 internal medicine physicians and 
medical students, we share your optimism that health 
information technology can improve health care. Many studies 
have found that full adoption and utilization of HIT can 
improve quality and reduce high medical costs. Patients who are 
fortunate enough to have a physician who is supported by 
electronic health records and other information systems are 
more likely to receive better coordinated care, and be less 
likely to be exposed to medical errors.
    Duplicate tests and drug interactions can be prevented. 
Better coordinated care supported by HIT enables physicians to 
partner with their patients to prevent complications that lead 
to avoidable hospital admissions, particularly for patients 
with multiple chronic illnesses.
    My 50-physician group practice has an electronic health 
record, or EHR. Our practice leadership is tech-savvy, and 
we're fortunate to have received some support from a forward-
looking private payer. So, with these favorable factors, you 
would think that our decision to implement an EHR was simple. 
On the contrary, it took us 10 years. We have been using our 
EHR for two years now, and have found that the challenges 
associated, especially the cost and impact on workflow, and the 
lack of true interoperability to be very substantial.
    The other challenges are not nearly as great as they are 
for physicians in smaller practices. Of the ACP Members 
involved in direct patient care after training, approximately 
20 percent are in solo practice and 50 percent are in practices 
of 5 or fewer physicians. Three-fourths of all Medicare 
recipients receive their outpatient care from smaller physician 
practices. These are the physicians who already lag in HIT 
adoption, and are least likely to have the necessary capital on 
board to invest in technology.
    Acquisition costs can average up to $44,000 per physician. 
The average annual ongoing costs are about $8,500 for a 
physician. For many of those practices, the business case for 
making such a large investment simply doesn't exist. Public and 
private payers, not the physicians, realize much of the savings 
from physician investment in acquiring the necessary HIT.
    Mandating use of HIT, especially in the absence of positive 
financial incentives and lack of uniform standards of 
interoperability and functionality will likely drive the 
physician practices we need the most out of business. Positive 
incentives are the answer.
    ACP specifically recommends that Congress build into the 
Medicare physician payment system an add-on code for office 
visits and other services when supported by certified HIT. The 
amount of the add-on should relate to the complexity of HIT 
adopted by the practice, similar to how bridges to excellence 
provides increasingly higher payments to practices as they 
acquire and use more advanced information systems. Congress 
should continue to support the establishment of the standards 
needed to allow true interoperability.
    For example, while my EHR has provided great benefit, we 
can't yet incorporate test results from outside laboratories in 
electronic searchable form, due to lack of interoperability. 
Congress should continue to advance the patient-centered 
medical home, or PCMH model, as a means of rapidly driving 
primary care practices to acquire the information systems and 
other capabilities needed to provide patient-centered and 
coordinated care.
    We appreciate the support of Chairman Stark and other 
Members of this Subcommittee for the increased funding for the 
Medicare medical home demo that was included in H.R. 6331, and 
for the inclusion of provisions in the CHAMP Act to further 
advance this model.
    NCQA has developed a qualification process to provide an 
independent assessment of the capabilities of practices to 
provide coordinated care, including the degree by which they 
are using HIT in order to participate in a medical home demo. 
This process, for instance, looks at whether a practice has 
registry systems to track patients by disease conditions, or to 
generate patient reminders.
    ACP specifically recommends that Congress transition from 
the limited medical home demonstration in eight states to a 
national pilot, as the Medicare payment advisory Committee has 
recommended.
    Should the pilot show that the medical home model can 
improve quality, achieve savings without compromising quality, 
or both, Congress should require the Secretary of HHS to 
develop and implement a new payment system for any practice 
that has the capability to be a medical home. This would 
consist of a monthly risk-adjusted care management fee that 
would take into account how a practice is advanced in acquiring 
HIT, continued fee-for-service payments for visits, and a 
performance-based component for reporting on quality.
    We also encourage Federal support for regional and 
statewide HIE, health information exchanges. Many of the 
potential benefits of physicians adopting EHR's won't be 
realized until we do so.
    So, in summary, we commend Chairman Stark and Members of 
the Committee for holding this important hearing. ACP believes 
that Congress should build into Medicare payment policy, 
increased payments for practices that acquire and use HIT to 
improve quality, especially those that demonstrate the 
capability of being a medical home, and provide access to 
Federal funding for initial acquisition costs.
    Without financial incentives, small practices and their 
patients will be left behind the technological curve. Thank 
you.
    [The prepared statement of Mr. Ejnes follows:]

      Prepared Statement of Yul D. Ejnes, M.D., Chairman, Medical
           Services Committee, American College of Physicians

    I am Yul Ejnes, MD, FACP. I am a practicing general internist in 
Cranston, Rhode Island. I am a member of the medical faculty at Brown 
University and serve on the Board of Directors of the Rhode Island 
Quality Institute, the state's Regional Health Information Organization 
(RHIO). I am also a member of the Board of Regents of the American 
College of Physicians (ACP), and chair of the College's policy 
committee that has overall responsibility for both payment-related 
policies and health information technology (HIT). I am pleased to 
present ACP's views on the adoption and use of HIT.
    ACP, representing 126,000 internists and medical students, is the 
largest medical specialty society and the second largest medical 
organization in the United States. ACP commends Subcommittee Chairman 
Fortney ``Pete'' Stark and Ranking Member Dave Camp for holding this 
hearing on the adoption and use of HIT. We share the optimism conveyed 
in the announcement of this hearing by Chairman Stark, that HIT has the 
potential to improve quality of health care and reduce costs. We 
commend the Subcommittee for specifically focusing on the need for 
incentives to facilitate HIT adoption and use.

Introduction

    The Institute of Medicine's (IOM) 2001 Report, ``Crossing the 
Quality Chasm--A New Health System for the 21st Century,'' 
suggested that up to 98,000 Americans die each year as a result of 
medical errors. The report introduced the notion that many of these 
lives could be saved through information technology. Since then, 
numerous studies and other policy experts have confirmed that full 
adoption and utilization of HIT has the potential to result in major 
gains in health care quality of care and patient safety.\1\ Some 
studies have also concluded that HIT can achieve very substantial 
reductions in health care costs.\2\ Even skeptics who are less certain 
about the ability of HIT to lower costs recognize that providing 
physicians and other clinicians with access to information systems to 
help them manage and coordinate patient-centered care, especially for 
patients with multiple chronic diseases, offers the potential of 
achieving gains in quality and overall savings.\3\
---------------------------------------------------------------------------
    \1\ DesRoches, Catherine, et al., ``Electronic Health Records in 
Ambulatory Care--A National Survey of Physicians'', New England Journal 
of Medicine, July 3, 2008.
    \2\ RAND Health, ``Health Information Technology: Can HIT Lower 
Costs and Improve Quality?,'' Research Highlight, at http://
www.rand.org/pubs/research_briefs/RB9136/RAND_RB9136.pdf.
    \3\ Sidorov, Jaan, ``It Ain't Necessarily So: The Electronic Health 
Record and the Unlikely Prospect of Reducing Health Care Costs,'' 
Health Affairs, July/August 2006.
---------------------------------------------------------------------------
    The Congressional Budget Office (CBO) May 2008 paper ``Evidence on 
the Costs and Benefits of Health Information Technology'' states that 
HIT generally refers to the use of computer applications in the 
practice of medicine. It notes that those applications (including 
clinical decision support and electronic prescribing) can be housed in 
an electronic health record (EHR).\4\ While physicians can use 
individual HIT applications independent of an EHR, use of an EHR is 
often used to measure HIT adoption.
---------------------------------------------------------------------------
    \4\ Evidence of the Costs and Benefits of Health Information 
Technology, Congressional Budget Office, May 2008.

---------------------------------------------------------------------------
Benefits of Health Information Technology

    The benefits of HIT that are most often cited are: avoidance of 
medical mistakes; storage and preservation of medical data; avoidance 
of medical errors; reductions in malpractice premiums; and improved 
quality outcomes.\5\ We elaborate on each of these benefits below.
---------------------------------------------------------------------------
    \5\ Sidorov, Jaan, ``It Ain't Necessarily So: The Electronic Health 
Record and the Unlikely Prospect of Reducing Health Care Costs,'' 
Health Affairs, July/August 2006.

          Medical Mistake Avoidance/Provision of Recommended 
        Care: The use of clinical-decision support tools at the point 
        of care has the potential to offer a tremendous advantage to 
        both physicians and their patients by facilitating recommended 
        evidence-based preventive, acute, and chronic care. Examples of 
        this benefit include alerts about vaccinations, anti-
        coagulation reminders, diabetes, hypertension, thyroid and 
        anemia screening in the elderly, health maintenance and 
        preventive care measures. HIT can also be an important conduit 
        for providing clinicians with unbiased information on the 
        comparative effectiveness, clinical as well as cost, of 
        different treatments, a topic that the ACP has addressed in 
        some detail in a new position paper on comparative 
        effectiveness.
          Storage of Other Encounter Data: An often-cited 
        example is the disappearance of paper medical records and 
        charts following Hurricane Katrina. Having medical data stored 
        electronically assures the safe keeping of complete medical 
        histories that can be difficult to duplicate from memory. In 
        addition, when patients become incapacitated, storage of the 
        data can be critical.
          Medication Error Avoidance: The use of electronic 
        prescribing (e-prescribing) offers promise because it 
        eliminates problems with handwriting legibility and, when 
        combined with decision-support tools, automatically alerts 
        prescribers to possible interactions, allergies, and other 
        potential problems. E-prescribing can also increase appropriate 
        use of generic drugs. We note, however, the e-prescribing 
        systems will be more effective if they are integrated with 
        fully functional electronic health records.
          Quality Improvement, Patient-Centeredness, and Care 
        Management: As noted earlier, HIT offers the potential to help 
        physicians improve overall health care quality by having 
        evidence-based clinical decision support at the point of care, 
        generating patient reminders, providing access to more complete 
        information, and reducing drug interactions. It can also have 
        the benefit of preventing unnecessary and duplicative testing, 
        helping patients achieve improvements in their own health care, 
        delivering patient centered services (such as remote 
        monitoring, secure access to email consultations), and reducing 
        fragmentation in health care services that may increase costs 
        and result in poorer outcomes. Further, it can shorten hospital 
        stays or help avoid them altogether. It also enhances the 
        ability of physicians to track and measure the quality of care 
        they provide to their patients.

Status of Physician Health Technology Use

    Despite the tremendous upside associated with HIT, relatively few 
physician practices have it--with small practices having the lowest 
rates. A 2006 review by the Robert Wood Johnson Foundation found that 
approximately 24% of physicians in ambulatory practice have an EHR, 
with a solo physician practice adoption rate of only 13% to 16%.\6\ A 
2006 ACP member survey demonstrated that practices with five or fewer 
physicians have a significantly lower EHR adoption rate (18%), than 
practices with 20 or more physicians (58%).\7\ Other studies have shown 
that while EHR use is rising slowly, adoption by small practices 
continues to lag.\8\
---------------------------------------------------------------------------
    \6\ The Robert Wood Johnson Foundation (2006), Health Information 
Technology in the United States: The Information Base of Progress, 
chapter 3, p. 26.
    \7\ American College of Physicians, E-Health and Its Impact on 
Medical Practice. Philadelphia: American College of Physicians; 2008: 
Position Paper.
    \8\ Jha, Ashish K., Ferris, Timothy G., et al., ``How Common Are 
Electronic Health Records in the United States? A Summary of the 
Evidence,'' Health Affairs, web exclusive October 11, 2006.

---------------------------------------------------------------------------
Barriers to Physician Health Information Technology Use

    The barriers to the acquisition and use of HIT, especially for 
small physician practices, are numerous, with the major obstacles 
described below.

          Substantial Cost in Acquiring and Maintaining the 
        Technology: Depending on the size of the practice and its 
        applications, acquisition costs, on average, $44,000 per 
        physician. The average annual ongoing costs of maintenance and 
        support are about $8,500 per physician.\9\ Physicians cite 
        these costs are the largest adoption barrier.\10\ In addition, 
        there are costs associated with training and lost productivity. 
        In a 2005 study, 14 small practices implementing a HIT system 
        experienced a decline in revenue because of lost productivity 
        of $7,500 per physician.\11\ Collectively, investment and 
        maintenance is a financial commitment that spans the life of 
        the practice. This obstacle is especially acute for physicians 
        in small practices, where three-fourths of all Medicare 
        recipients receive outpatient care.\12\
---------------------------------------------------------------------------
    \9\ Miller, Robert, West, Christopher, et al., ``The Value of 
Electronic Health Records in Solo or Small Group Practices.'' Health 
Affairs, Vol. 24, No. 5, September/October 2005.
    \10\ DesRoches, Catherine, et al., ``Electronic Health Records in 
Ambulatory Care--A National Survey of Physicians'', New England Journal 
of Medicine, July 3, 2008.
    \11\ Miller, Robert, West, Christopher, et al., ``The Value of 
Electronic Health Records in Solo or Small Group Practices.'' Health 
Affairs, Vol. 24, No. 5, September/October 2005.
    \12\ Center for Studying Health System Change, ``Most Medicare 
Outpatient Visits Are to Physicians With Limited Clinical Information 
Technology,'' July 2005.
---------------------------------------------------------------------------
          HIT Savings Accrue to Others and Not the Physician 
        Making the Investment: Public and private payers generally 
        realize the financial benefit associated with HIT use, which 
        can come in the form of a reduction in duplicative or 
        unnecessary care, the avoidance of costly medical errors, a 
        reduction in hospital days, an improvement in quality outcomes, 
        and lower administrative costs.
          Lack of True Interoperability: Physicians lack 
        confidence that an EHR will be able to communicate with an 
        information system used by another clinician, hospital, 
        laboratory, or other entity. Manual integration of information 
        from disparate sources requires additional work and prevents 
        full using EHRs to their full capability. This situation 
        discourages EHR adoption.
          Medicare and Other Payment Systems Generally 
        Incentivize Volume over Quality: Paying physicians on a per-
        procedure or per-service basis encourages volume and actually 
        may act as a disincentive to acquire information systems that 
        can result in the more efficient provision of services. For 
        example, a physician receives less financial compensation if he 
        or she refrains from conducting a test known to be duplicative 
        because of HIT. Medicare payment policies for the most part 
        are, at best, neutral on acquisition and use of HIT, except for 
        some limited reporting of ``structural'' measures in the 
        Physician Quality Reporting Initiative (PQRI) and several 
        Medicare demonstration projects that provide reimbursement 
        incentives for HIT. Medicare also systematically undervalues 
        primary care services, making it particularly difficult for 
        primary care doctors whose practices may be struggling and near 
        the breaking point to spend the money needed to acquire HIT.
          Uncertainty Surrounding Medicare Physician Payments: 
        The flawed mechanism for updating Medicare payments to 
        physicians, the Sustainable Growth Rate (SGR) system, is a 
        complicating factor. The system--and its need to be perpetually 
        corrected, makes planning for significant practice investment a 
        challenge. We appreciate the congressional action, despite the 
        budget challenge and other obstacles, to avert what would have 
        been a devastating 10.6% across-the-board cut in physician 
        payments that was set to begin on July 1, 2008 and substituting 
        the additional 5.4% cut slated for 2009 with a 1.1% increase. 
        This action provides some stability and buys time to fashion a 
        long-term legislative solution. The relatively modest increase, 
        especially considering rising practice costs, and the 
        uncertainty regarding payment updates beyond 2009 make it 
        difficult for practices to make the investment in EHR and other 
        HIT. ACP also recognizes and appreciates that the Children's 
        Health and Medicare Protection (CHAMP) Act--reported out of the 
        Ways and Means Committee, with the support and leadership of 
        Chairman Stark, and that passed the House of Representatives in 
        2007--would have provided further relief from the SGR cuts and 
        improved payments for primary care services had it become law.

    In sum, for many physicians, the business case to invest in EHR/HIT 
simply does not exist. Even so, there are physicians who have become 
early adopters even though the economic case for doing so is poor.
    I have had an EHR in my own medium-sized practice for the past two 
years and have been writing prescriptions electronically for the past 
five. I made this investment because I felt it was in the best 
interests of my patients, even thought it was not necessarily in the 
best interest of my practice's ``bottom line.'' But, I fully understand 
why so many of my colleagues have deferred making such an investment 
given the poor business case to support it and the lack of any 
reimbursement incentives for doing so.

The Need for Congressional Involvement

    The complex issues surrounding financing, assistance with redesign 
of practice workflow, and ongoing technical support and training must 
be recognized and addressed for the goal of widespread adoption and use 
HIT to be realized. ACP strongly believes that the Congress has an 
important role to play in overcoming the challenges posed by these 
issues, particularly pertaining to physicians in small practices.
    Both Medicare and the private sector have recently provided some 
incentives to facilitate HIT adoption and use. Unfortunately, the 
programs are limited to far too few physicians. These experiences do, 
however, demonstrate physician interest and provide reasonable 
assurance the physicians will respond to adequate incentives. This 
should provide Congress with a level of comfort that physicians will 
use incentives if they are made available to more physicians.
    The Bridges to Excellence (BTE) program that encourage practices to 
maintain structural capability, including HIT components, aimed at 
improving patient care provides an example of physician practices 
responding to financial incentives. BTE is a coalition that encourages 
leaps in quality of care by recognizing and rewarding health care 
providers who demonstrate that they provide safe, effective, efficient, 
and patient-centered care. The BTE program pays physicians who are 
recognized under the National Committee for Quality Assurance (NCQA) 
Physician Practice Connections Physicians Office Link (PPC-POL) program 
as having the systems to improve care up to $50 per patient per year. 
Over 1,500 physicians are recognized through the NCQA PPC program, with 
an average practice size of 5 physicians. This shows that small 
physician practices are responsive when financial incentives are 
aligned with the transition to this type of care.
    Beginning January 2008, BTE started to make bonus payments to 
practices in eligible areas that earn NCQA PPC-POL or PPC Patient 
Centered Medical Home (PPC-PCMH) recognition, plus the required 
recognition for other condition-specific modules (e.g. diabetes, heart/
stroke). This is evidence of the growing interest of the PCMH and the 
willingness of the private sector to provide incentives to encourage 
practices to pursue PCMH recognition.

Recommended Financial and Other Incentives

    Many physicians' small practices will be unable to acquire and use 
HIT without sufficient financial assistance from the Federal 
Government. Leaving behind these practices, from which the majority of 
Medicare beneficiaries receive their care, will prevent the goal of 
widespread use of fully integrated technology from becoming a reality.
    We caution Congress, though, against trying to mandate HIT use, 
especially given the lack of financial incentives to help practices. 
For many small practices, an unfunded mandate to acquire and use HIT 
could literally put them out of business. It is also does not make 
sense to mandate HIT given that issues relating to interoperability, 
standards, and functionality have yet to be fully resolved. Mandates 
are not sensitive to differences in practice resources, patient case 
mix, staffing ratios, geographic locations, ownership, and a myriad of 
other factors that will affect the ability of practices to acquire and 
use HIT. A practice that is part of a large academic system, large 
group practice, or owned by a hospital is very different from a small 
physician-owned practice.
    We instead recommend that Congress establish targeted financial 
incentives aimed at facilitating HIT in small practices. Specifically, 
ACP recommends that the Congress take the steps below to provide the 
financial incentives necessary to facilitate widespread HIT adoption 
and use.

          Establish an Add-on Payment for Evaluation and 
        Management Services: The College recommends establishing an 
        add-on code for office visits and other evaluation and 
        management (E/M) services when the visit is supported by 
        qualified HIT systems. The payment mechanism should make it 
        possible for the physician to report that the E/M service was 
        supported by HIT. The amount of the add-on should relate to the 
        complexity of HIT adopted by the practice. For example, 
        Medicare could establish three levels or tiers of HIT adoption, 
        similar to the NCQA PPC-POL module. The level of the add-on 
        then would depend not only on whether the physician had the 
        information systems in their office, but how those systems are 
        used to improve patient care. A practice that had only a simple 
        stand-alone e-prescribing system and patient registry would be 
        paid less than one that had a fully functional EHR with e-
        prescribing, patient reminders, clinical decision support at 
        the point of care, and the ability to measure and report on 
        clinical performance measures imbedded in the system.
          Include Reporting of Structural HIT Measures in 
        Quality Reporting Programs: Medicare should reward physicians 
        who incorporate either some or all aspects of HIT and 
        participate in reporting on endorsed quality measures as part 
        of the PQRI. We note that the PQRI currently includes a small 
        number of structural measures, and beginning in 2009, Medicare 
        will begin providing bonus payments to physicians who are able 
        to report that they are using an e-prescribing system.
          Pay Physicians a Care Coordination Fee if they 
        Acquire and Use the Information Systems Needed to Function as a 
        PCMH and Regularly Report on their Performance. The ACP 
        recommendations on the PCMH are discussed in depth later in 
        this testimony.
          Assist Small Physician Practices with the Initial 
        Investment to Acquire HIT: Congress should make available 
        grants, loans, and/or tax credits to help practices currently 
        least able to purchase the necessary HIT hardware and software. 
        ACP notes, however, that the impact of these incentives is 
        limited absent changes in Medicare payment policies to create 
        incentives for HIT use.
          Ensure Clear Guidance on the ``Safe harbor'' 
        Exception to the Self-referral Prohibition: The law allows 
        hospitals and other entities to assist physicians in acquiring 
        HIT. The CBO May 2008 paper, ``Evidence on the Costs and 
        benefits of Health Information Technology'', notes that three 
        federal agencies are establishing rules related to this safe 
        harbor and the lack of present clarity can be an impediment to 
        HIT expansion.
          Explore Mechanisms to Assist Practices in 
        Implementing HIT: Physicians face significant challenges in 
        selecting, integrating, and optimizing HIT. The National 
        Ambulatory Medical Care Survey (NAMCS), an annual, government-
        funded, nationally representative survey of all ambulatory 
        visits to physicians whose practices are not hospital-based, 
        includes questions about EHR use. While the NAMCS found nearly 
        24% of physicians using EHRs, further analysis determined that 
        only 9% are using an EHR with at least the four key 
        functionalities identified by the IOM.\13\ Congress should 
        facilitate resources that provide support throughout the HIT 
        implementation continuum that will make selection less 
        daunting, minimize productivity throughout implementation, and 
        result in optimal use. The College urges Congress to review the 
        recommendations/options in the October 2007 ``eHealth 
        Initiative Blueprint: Building Consensus for Common Action,'' 
        which is available at http://www.ehealthinitiative.org/
        blueprint/eHiBlueprint-BuildingConsensusForCommonAction.pdf.
---------------------------------------------------------------------------
    \13\ Institute of Medicine, ``Key Components of an Electronic 
Health Record System: Letter Report,'' July 2003.
---------------------------------------------------------------------------
          Support the Establishment of Standards to Facilitate 
        Interoperability and Reporting Quality Data: ACP strongly 
        supports efforts by those in the Administration and the 
        Congress to speed the adoption of uniform standards for HIT. In 
        order to oversee the ten-year initiative to achieve widespread 
        adoption of EHRs that President Bush announced in 2004, the 
        Administration created the Office of National Coordinator for 
        Health Information Technology (ONC). ONC and related 
        initiatives are working toward establishing the standards 
        necessary to provide physicians with confidence that their 
        investment in HIT will be supported by sustainable processes 
        and infrastructure that enable them to use HIT to the optimal 
        benefit of the patient and system efficiency.
          Support for Information Exchange Projects that 
        Promote Interoperability: Congressional support for state and 
        regional health information exchange efforts will move toward 
        the true interoperability needed for physicians to use EHR 
        products to their maximum potential and to achieve the greatest 
        benefit to the health care system.

Patient Centered Medical Home as a Means to Facilitate HIT and its 
        Associated Goals

    ACP, like many others, believes that use of HIT alone will not 
enable the health care system to deliver improved quality in a way that 
maintains or lowers costs to its full potential. The College believes 
that HIT in the context of a Patient Centered Medical Home will yield 
the greatest benefit. ACP worked with the American Academy of Family 
Physicians (AAFP), the American Academy of Pediatrics (AAP), and the 
American Osteopathic Association (AOA) to jointly establish principles 
that define the PCMH. The PCMH is a delivery model that involves a 
patient with a relationship with a personal physician who works with a 
practice team to provide first contact, whole-person, continuous care. 
The PCMH model is based on the premise that the best quality of care is 
provided not in episodic, illness-oriented care, but through patient 
centered care that emphasizes prevention and care coordination. A PCMH 
practice must demonstrate that it has the infrastructure and capability 
to provide care consistent with the patient's needs and preferences. 
The PCMH joint principles call for enhanced payment to support the 
practice transformation and increased value to the patient and the 
health care system.
    ACP, AAFP, AAP, and AOA, as the four organizations that represent a 
significant number of primary care physicians, worked with the National 
Committee on Quality Assurance (NCQA) to establish an independent 
process by which physician practices can be recognized as a PCMH. The 
NCQA established process, the Physician Practice Connections-PCMH (PPC-
PCMH) module, requires practices to meet core requirements and attain a 
minimum score to be recognized as a medical home. Practices that meet 
these core requirements and achieve at or above the minimum total score 
are identified as one of three progressive levels of PCMH. The highest 
level of medical home, a Tier 3 PCMH, is generally associated with the 
greater use of HIT.
    Having a process by which an independent, third-party determines 
whether a physician practice is a PCMH is one reason why the model has 
gained considerable traction over the past few years. Assurance that 
practices are transforming to meet the full needs of patients has 
contributed to the decision of many employers, health plans, consumer 
organizations, policymakers, and other health care stakeholders to 
embrace the model. It is our understanding that CMS intends to use a 
recognition process to identify the medical home practices that 
participate in the Medicare medical home demonstration project 
authorized by Congress in 2006 and enhanced through the Medicare 
legislation that become law earlier this month.
    In its June 2008 Report to Congress, the Medicare Payment Advisory 
Commission (MedPAC) recommended that it establish a robust PCMH pilot 
project that focuses on practices that use significant HIT.
    We appreciate the Congress's support of the PCMH and urge it to 
consider additional payment reforms that incentivize the adoption and 
use of HIT in the context of the PCMH. We specifically recommend that 
Congress:

          Provide Additional Funding to the Centers for 
        Medicare and Medicaid Services (CMS) to Expand the Medicare 
        Medical Home Demonstration to More Practices and States. ACP 
        appreciates the $100 million in increased funding for the 
        Medicare Medical Home Demonstration that was included in H.R. 
        6331 but believe that even higher funding levels would enable 
        the PCMH model to be expanded nationwide and evaluated as a 
        national pilot rather than a limited demonstration project. We 
        also believe that Congress should consider working from the 
        medical home demonstration language and funding that was in the 
        CHAMP Act as a basis for expanding the model into a national 
        pilot. ACP cautions the Subcommittee, however, not to delay the 
        existing demonstration even as it considers additional 
        legislation to expand and test the PCMH on a national scale.
          Require that the Secretary Transition to a New 
        Payment Methodology for Qualified PCMH, should the Medicare 
        Medical Home Demonstration be Successful in Improving Quality 
        or Achieving Savings or Both: The alternative PCMH payment 
        structure should pay PCMH recognized practices, including 
        practices recognized through the NCQA PPC-PCMH voluntary 
        recognition process or other equivalent process as determined 
        by the Secretary, for the clinical work and practice expenses 
        associated with providing care coordination services, 
        consisting of the following:
          Prospective, risk-adjusted per beneficiary per month 
        PCMH fee for each beneficiary that chooses that practice as 
        their PCMH to cover the work and practice expenses involved in 
        providing care consistent with the PCMH model (e.g. increased 
        access, care coordination, disease population management and 
        education) that are not currently covered under the Medicare 
        Physician Fee Schedule. Such prospective, risk-adjusted per 
        beneficiary payment should be set at a level and magnitude that 
        is sufficient to support the acquisition, use and maintenance 
        of clinical information systems needed to qualify as a PCMH and 
        that have been shown to facilitate improved outcomes through 
        care coordination.
          The Secretary should consider the impact of qualified 
        PCMHs on reducing preventable hospital admissions, duplicate 
        testing, medication errors and drug interactions, and other 
        savings in Medicare Parts A, B (including Part B services not 
        included in the Medicare Physician Fee Schedule) and apply a 
        portion of the aggregate estimate of such savings to 
        determining the aggregate amount of payment for the PCMH fees 
        that would then be provided to qualified practices. Should 
        aggregate actual savings after three years be higher than the 
        estimate, the Secretary should apply a portion of such 
        additional aggregate savings to fund the PCMH fee.
          Performance-based bonus fee determined by meeting 
        specified clinical, patient satisfaction and efficiency 
        benchmarks.
          Continued fee-for-service payment for evaluation and 
        management services.
          Require Separate Medicare Payment for Designated 
        Primary Care Services and Services and Capabilities that 
        Promote Patient-centered Care: Congress should mandate that the 
        Secretary pay for care coordination services provided by a 
        primary or principal care physician to a beneficiary. Medicare 
        should make separate payment for a comprehensive care 
        coordination service described in a yet-to-be-defined procedure 
        code(s). Medicare should also make separate payment for 
        discrete services defined by existing procedure codes that 
        describe a clinical interaction with a beneficiary that is 
        inherent to care coordination, including interactions outside a 
        face-to-face encounter. These services should include:

          Care plan oversight;
          Evaluation and management provided by phone;
          Evaluation and management provided using internet 
        resources;
          Collection and review of physiologic data, such as 
        from a remote monitoring device;
          Education and training for patient self management;
          Anticoagulation management services; and
          Current or future services as determined appropriate 
        by the Secretary.

Estimating Savings from HIT Use and Other Promising Projects

    ACP believes that much of the additional expense involved in 
funding the financial incentives it recommends in this statement can be 
covered by the anticipated savings that the improved care can generate. 
Congress should develop a mechanism to assess the system-wide savings 
that HIT and other innovative delivery and payment reforms, such as the 
PCMH, that aim to improve quality generate. Savings can be used to help 
fund Medicare's assistance to physicians with initial HIT investment 
and on-going maintenance.
    In addition, we are encouraged that the Department of Health and 
Human Services is in the process of assessing the system-wide savings 
expected to be generated through the EHR demonstration project and the 
Medicare medical home demonstration project. HHS intends to fund the 
enhanced payments to physicians participating in the EHR demonstration 
project through the system-wide savings that it expects it to generate. 
HHS is determining the savings it expects the improved interventions 
that result from the Medicare medical home demonstration project will 
generate. It will use the expected savings to fund payments to 
individual physicians in PCMH practices for the enhanced services they 
provided to better coordinate patient care. Congress should monitor 
these important efforts to assess the impact of HIT and other promising 
reforms across the entire Medicare program, as opposed to the 
historical tendency to assess changes within individual components of 
the Medicare program.
    We are troubled, however, by the CBO view, expressed in its May 
2008 paper, that HIT will not likely reduce overall health care 
spending and that incentives may actually increase spending in the 
absence of mandates. This position goes against the views of many other 
experts who believe that HIT, especially if used to support patient-
centered care coordination by primary care physicians, can improve 
quality and achieve efficiencies that decreases overall spending. The 
CBO position may itself become one of the greatest barriers to HIT 
adoption if it results in Congress being unwilling to provide the 
financial incentives needed to support HIT.
    We also note that most other industrialized nations have decided 
that it is necessary and appropriate to make large public investments 
in HIT. ACP recently published a position paper in the College's peer-
reviewed journal, the Annals of Internal Medicare, that compared the 
United States' health care system with those of other industrialized 
countries. Citing data from the Commonwealth Fund and other sources, 
the paper found that compared with countries with well-performing 
health care systems, the United States lags seriously in the 
implementation of EHR systems in office practice. Compared with primary 
care doctors in six other countries, U.S. physicians are among the 
least likely to have extensive clinical information systems. In 2006, 
nearly all primary care doctors in the Netherlands (98%), and 79% to 
92% of doctors in Australia, New Zealand, and the United Kingdom, have 
EHR systems, while the rate was only 28% in the United States (and 23% 
in Canada). Most doctors in countries with high rates of EHR systems 
routinely use them to electronically order tests, prescribe 
medications, and access patients' test results. Compared with doctors 
in the U.S. doctors in these countries are more likely to receive 
computerized alerts about potential problems concerning drug dosages 
and interactions, have reminder systems to notify patients about 
preventive or follow-up care, and (except for the Netherlands) receive 
prompts to provide patients with test results. More than 60% of the 
doctors in the four countries with high EMR use, as well as those in 
Germany (where 42% have EMR systems), say it is easy to generate lists 
of patients by diagnosis or health risk; in contrast, only 37% of U.S. 
doctors say it is easy, and 60% say it is somewhat difficult or worse 
to generate such lists. Likewise, doctors in countries with high rates 
of EMR systems are two-to-four times as likely to say it is easy to 
generate lists of patients who are due or overdue for tests or 
preventive care; only 20% of doctors in the United States report that 
it is easy.\14\
---------------------------------------------------------------------------
    \14\ ``Achieving a High-Performance Health Care System with 
Universal Access: What the United States Can Learn from Other 
Countries,'' ACP position paper, Annals of Internal Medicine, January 
2008.
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Privacy and Security Concerns

    ACP recognizes that patients have a basic fundamental right to 
privacy that includes the information contained in their own medical 
records--whether in electronic or paper form. ACP has long recognized 
the need for appropriate safeguards to protect the privacy and security 
of patient data. Trust and respect are the cornerstones of the patient-
physician relationship and are key to quality health care. Patients who 
trust their physician are more like to fully participate in their 
treatment and comply with their care plan.
    We strongly believe that physicians--already governed by strict 
ethical codes of conduct, state professional disciplinary codes, and 
the Hippocratic oath--have a duty and responsibility to protect patient 
privacy. Patients need to be treated in an environment in which they 
feel comfortable disclosing sensitive and confidential health 
information to a physician they can trust. Otherwise, there may be a 
chilling effect for patients to fully disclose the most sensitive of 
information (conditions or symptoms), thereby reducing the 
effectiveness and timeliness of treatment, or, they may avoid seeking 
care altogether for fear of the negative consequences that could result 
from disclosure. While physicians must have access to clinically 
relevant information to safely and effectively treat patients, patients 
must have assurances that adequate firewalls against unauthorized 
individuals gaining access to sensitive data are in place. Congress 
must ensure these safeguards are present.

Conclusion

    The barriers to HIT adoption in physician practices can best be 
overcome by building financial incentives into Medicare and other 
programs. Supporting small practices with their initial acquisition 
costs and including an add-on payment for services documented and 
facilitate by an EHR will provide an infusion of funding that small 
practices need to invest in and maintain HIT. It also sends a signal 
that the Federal Government is committed to facilitating this goal. 
Financial incentives to facilitate the promising PCMH delivery model 
provide a mechanism to further HIT adoption and use in the context of 
an improved delivery system that further achieves these goals. PCMH 
practice recognition that is inherent in the model provides assurance 
that the practice has acquired and uses HIT in an optimal manner. 
Collecting, analyzing, using, and reporting how care compares to vetted 
measures of clinical quality is also inherent in the PCMH model.
    ACP is pleased that the House Committee on Ways and Means Health 
Subcommittee on Health is examining the issues pertaining to HIT option 
and use. We strongly believe Congress has a very important role in 
promoting HIT adoption and providing the necessary initial and ongoing 
funding mechanisms to assist small physician practices. The benefits of 
full-scale adoption of interoperable HIT will be significant, leading 
to a higher standard of quality in the health care system. 
Unfortunately, without adequate financial incentives, small physician 
practices will be left behind the technological curve and their 
patients with them.

                                 

    Chairman STARK. Thank you, Doctor.
    Ms. McGraw.

 STATEMENT OF DEVEN MCGRAW, DIRECTOR, HEALTH PRIVACY PROJECT, 
              CENTER FOR DEMOCRACY AND TECHNOLOGY

    Ms. MCGRAW. Thank you, Chairman Stark, Ranking Member Camp, 
and the members of the Subcommittee. Deven McGraw, director of 
the health privacy project at the Center for Democracy and 
Technology, CDT.
    CDT is a non-profit public interest organization with more 
than 15 years of expertise on Internet and information privacy 
issues. The health privacy project, which was once an 
independent organization, has more than a decade of experience 
in advocating for health privacy protections--again, for health 
information. The two organizations merged just this year, to 
combine the expertise which is particularly timely, given the 
focus now on electronic and Internet-based records.
    CDT supports--CDT absolutely supports--efforts to expand 
the adoption of health information technology and health 
information exchange. Too often I think privacy advocates get 
labeled as trying to place obstacles to getting health IT in 
place. In fact, the opposite is true. We think that privacy and 
security protections are enablers to health IT. We believe 
that, in fact, those solutions, as Peter Orszag referred to, 
are actually obtainable in this congress and in subsequent 
congresses.
    We need to do this, because people do want electronic 
health records. But surveys show that, time after time, about 
two-thirds are concerned about the privacy and security of 
health information. Technology actually enhances our ability to 
keep records private and secure. At the same time, it also 
magnifies the risks. You only have to think about the risks of 
a box of records being left open on a table, versus a laptop 
with thousands of records being stolen out of the trunk of 
someone's car.
    So, to really build public trust in these systems, we need 
a comprehensive privacy and security framework that is based on 
fair information practices, which is typically what we look to 
in developing policies to protect personal information in a 
whole range of contexts. The good news is that we don't have to 
start from scratch.
    First of all, we have the HIPAA privacy and security rules, 
which are based on fair information practices, and provide us 
with a foundation of protections that govern the use of 
information by health care organizations. We can build on this 
foundation, filling in the gaps to create, again, this 
comprehensive policy framework.
    There is also the common framework developed by the Markle 
Foundation's multi-stakeholder Connecting for Health 
Initiative. So, we have lots that we can draw on.
    So, we are really calling on Congress to think big, and 
have a comprehensive vision on privacy and security. But we 
know this is a complex topic. So, in order to get it right and 
still facilitate the flow of information that is necessary to 
improve health care, you really need to think about this, take 
some incremental steps. So, think big, act incrementally, and 
we're happy to work with you all along the way.
    So, in our written testimony, we have actually suggested a 
number of areas that Congress might think about, in terms of 
filling these gaps in HIPAA, and looking at the new players in 
the environment. When I talk about new players, I am focusing 
in particular on personal health records, PHRs, that are being 
offered by employers and Internet companies. They are not 
covered by HIPAA.
    But we don't want you to address this policy vacuum by 
taking HIPAA and having it cover these entities. We don't think 
that's the right approach. Instead, we recommend tasking HHS 
and the Federal Trade Commission, which has lots of experience 
in regulating Internet-based companies, to jointly come up with 
recommendations to protect privacy and security of information 
in personal health records.
    HIPAA was really designed for health care system entities. 
Understanding health care system needs for information to flow, 
that doesn't fit very well, in terms of a regulatory framework 
when you're talking about entities that have a completely 
different business model, and where the revenue basis is likely 
to be based on advertising and commercial use.
    Again, we don't have to start from scratch here, with 
respect to PH.R.s. This is another place where the Markle 
Connecting for Health Initiative has come up with a common 
framework.
    Enforcement is another area that we hope that Congress will 
pay attention to. As is pretty common knowledge now, I think, 
the HHS office of civil rights has not imposed a single civil 
monetary penalty for violations of HIPAA. To our knowledge, the 
Justice Department has only prosecuted a handful of criminal 
violations. We make recommendations in our written testimony 
for some tweaks in the HIPAA statute that will make it easier 
for the Secretary to follow Congress's intent to make sure that 
penalties are imposed in cases of the most egregious HIPAA 
violations: knowing violations and violations of willful 
neglect.
    But we also think that a significant shortfall in HIPAA is 
the absence of any way for the consumer whose privacy is 
violated to pursue meaningful recourse and be made whole. So, 
we do encourage Congress to look at creating a private right of 
action, not for every HIPAA violation, but at least for the 
most egregious types. The government can pursue these penalties 
today, but they don't go to the individual who is actually--if 
they are harmed--are really left holding the bag.
    Again, there are workable ways to do this. It won't be 
easy. We are happy to work with you to find that way. But we 
think it's important to begin developing a way to ensure that 
covered entities are accountable to consumers for the most 
egregious violations of their privacy. Thank you.
    [The prepared statement of Ms. McGraw follows:]

          Prepared Statement of Deven McGraw, Director, Health
          Privacy Project, Center for Democracy and Technology

    Chairman Stark, Ranking Member Camp, and members of the 
Subcommittee, thank you for holding this hearing on promoting the 
adoption and use of health information technology and for the 
opportunity to testify today.
    CDT is a non-profit public interest organization founded in 1994 to 
promote democratic values and individual liberties for the digital age. 
CDT works to keep the Internet open, innovative and free by developing 
practical, real-world solutions that enhance free expression, privacy, 
universal access and democratic participation. The Health Privacy 
Project, which has more than a decade of experience in advocating for 
the privacy and security of health information, was merged into CDT 
earlier this year to take advantage of CDT's long history of expertise 
on Internet and information privacy issues and to come up with workable 
solutions to better protect the privacy and security of health 
information on-line and build consumer trust in e-health systems.
    CDT recently released a comprehensive paper calling on Congress to 
enact--and all stakeholders to adopt--a comprehensive privacy and 
security framework to cover electronic health information. Some of the 
points raised in that paper are highlighted in this testimony today, 
but I also request that the full copy, which is attached and can be 
found at www.cdt.org/healthprivacy/20080514Hpframe.pdf, be entered into 
the hearing record.

Privacy and Security Protections are Critical to Health IT

    Health information technology (health IT) and electronic health 
information exchange can help improve health care quality and 
efficiency, while also empowering consumers to play a greater role in 
their own care. Survey data shows that Americans are well aware of both 
the benefits and the risks of health IT. A large majority of the public 
wants electronic access to their personal health information--both for 
themselves and for their health care providers--because they believe 
such access is likely to increase their quality of care. At the same 
time, people have significant concerns about the privacy of their 
medical records. In a national survey conducted in 2005, 67% of 
respondents were ``somewhat'' or ``very concerned'' about the privacy 
of their personal medical records.\1\ In a 2006 survey, when Americans 
were asked about the benefits of and concerns about online health 
information:
---------------------------------------------------------------------------
    \1\ National Consumer Health Privacy Survey 2005, California 
HealthCare Foundation (November 2005) (2005 National Consumer Survey).

          80% said they are very concerned about identity theft 
        or fraud;
          77% reported being very concerned about their medical 
        information being used for marketing purposes;
          56% were concerned about employers having access to 
        their health information; and
          55% were concerned about insurers gaining access to 
        this information.\2\
---------------------------------------------------------------------------
    \2\ Study by Lake Research Partners and American Viewpoint, 
conducted by the Markle Foundation (November 2006) (2006 Markle 
Foundation Survey).

    Health IT has a greater capacity to protect sensitive personal 
health information than is the case now with paper records. Digital 
technologies, including strong user authentication and audit trails, 
can be employed to limit and track access to electronic health 
information automatically. Electronic health information networks can 
be designed to facilitate data sharing for appropriate purposes without 
needing to create large, centralized databases that can be vulnerable 
to security breaches. Encryption can help ensure that sensitive data is 
not accessed when a system has been breached. Privacy and security 
policies and practices are not 100% tamperproof, but the virtual locks 
and enforcement tools made possible by technology can make it more 
difficult for bad actors to access health information and help ensure 
that, when there is abuse, that the perpetrators will be detected and 
punished.\3\
---------------------------------------------------------------------------
    \3\ See For The Record: Protecting Electronic Health Information, 
Committee on Maintaining Privacy and Security in Health Care 
Applications of the National Information Infrastructure, Computer 
Science and Telecommunications Board, National Research Council 
(National Academy Press, Washington, DC 1997) for a discussion of the 
inability of systems to be 100% tamperproof.
---------------------------------------------------------------------------
    At the same time, the computerization of personal health 
information--\3/4\ in the absence of strong privacy and security 
safeguards--\3/4\ magnifies the risk to privacy. As the recent spate of 
large-scale privacy and security breaches demonstrates, serious 
vulnerabilities exist now. Tens of thousands of health records can be 
accessed or disclosed through a single breach. Recent headlines about 
the theft of an NIH laptop loaded with identifiable information about 
clinical research subjects underscore these concerns, and this is just 
one of numerous examples. The cumulative effect of these reports of 
data breaches and inappropriate access to medical records, coupled with 
a lack of enforcement of existing privacy rules by federal authorities, 
deepens consumer distrust in the ability of electronic health 
information systems to provide adequate privacy and security 
protections.\4\
---------------------------------------------------------------------------
    \4\ See http://www.cdt.org/healthprivacy/20080311stories.pdf for 
stories of health privacy breaches and inappropriate uses of personal 
health information.
---------------------------------------------------------------------------
    With rare exception, national efforts to advance greater use of 
health IT have not adequately or appropriately addressed the privacy 
and security issues raised by the movement to electronic health 
records. While some persist in positioning privacy as an obstacle to 
achieving the advances that greater use of health IT can bring, it is 
clear that the opposite is true: enhanced privacy and security built 
into health IT systems will bolster consumer trust and confidence and 
spur more rapid adoption of health IT and realization of its potential 
benefits.
    Protecting privacy is important not just to avoid harm, but because 
good health care depends on accurate and reliable information.\5\ 
Without appropriate protections for privacy and security in the 
healthcare system, patients will engage in ``privacy-protective'' 
behaviors to avoid having their personal health information used 
inappropriately.\6\ According to a recent poll, one in six adults 
(17%)--representing 38 million persons--say they withhold information 
from their health providers due to worries about how the medical data 
might be disclosed.\7\ Persons who report that they are in fair or poor 
health and racial and ethnic minorities report even higher levels of 
concern about the privacy of their personal medical records and are 
more likely than average to practice privacy-protective behaviors.\8\
---------------------------------------------------------------------------
    \5\ See Janlori Goldman, ``Protecting Privacy to Improve Health 
Care,'' Health Affairs (Nov-Dec, 1998) (Protecting Privacy); Promoting 
Health/Protecting Privacy: A Primer, California Healthcare Foundation 
and Consumers Union (January 1999), http://www.chcf.org/topics/
view.cfm?itemID=12502 (Promoting Health/Protecting Privacy).
    \6\ Protecting Privacy; Promoting Health/Protecting Privacy; 2005 
National Consumer Survey.
    \7\ Harris Interactive Poll #27, March 2007.
    \8\ 2005 National Consumer Survey.
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    The consequences of this climate of fear are significant--for the 
individual, for the medical community, and for public health:

          The quality of care these patients receive may 
        suffer;
          Their health care providers' ability to diagnose and 
        treat them accurately may be impaired;
          The cost of care escalates as conditions are treated 
        at a more advanced stage and in some cases may spread to 
        others; and
          Research, public health, and quality initiatives may 
        be undermined, as the data in patient medical records is 
        incomplete or inaccurate.\9\
---------------------------------------------------------------------------
    \9\ Id.

    It is often difficult or impossible to establish effective privacy 
protections retroactively, and restoring public trust that has been 
significantly undermined is much more difficult than building it at the 
start. Now--in the early stages of health IT adoption is the critical 
---------------------------------------------------------------------------
window for addressing privacy.

We Need a Comprehensive Privacy and Security Framework That Will Build 
        Public Trust, Advance Health IT

    To build public trust in health IT, we need a comprehensive privacy 
and security framework that sets clear parameters for access, use and 
disclosure of personal health information for all entities engaged in 
e-health. In developing this comprehensive framework, policymakers, 
regulators, and developers of HIT systems need not start from scratch. 
A framework for HIT and health information exchange already exists, in 
the form of the generally accepted ``fair information practices'' 
(``FIPS'') that have been used to shape policies governing uses of 
personal information in a variety of contexts--most notably the privacy 
regulations enacted pursuant to the Health Insurance Portability and 
Accountability Act (HIPAA), which established the first federal health 
privacy framework.\10\ While there is no single formulation of the 
``FIPs,'' the Common Framework developed by the Markle Foundation's 
multi-stakeholder Connecting for Health initiative, would:
---------------------------------------------------------------------------
    \10\ Other potential sources for policy recommendations include the 
GAO, the National Center for Vital Health Statistics and the National 
Governor's Association State Alliance for eHealth.

          Implement core privacy principles;
          Adopt trusted network design characteristics; and
          Establish oversight and accountability 
        mechanisms.\11\
---------------------------------------------------------------------------
    \11\ See www.connectingforhealth.org for a more detailed 
description of the Common Framework.

    In particular, the core privacy principles of the Connecting for 
Health Common Framework set forth a comprehensive roadmap for 
protecting the privacy and security of personal health information 
while still allowing information to be accessed and disclosed for 
---------------------------------------------------------------------------
legitimate purposes. Those core privacy principles are:

          Openness and Transparency: There should be a general 
        policy of openness about developments, practices, and policies 
        with respect to personal data. Individuals should be able to 
        know what information exists about them, the purpose of its 
        use, who can access and use it, and where it resides.
          Purpose Specification and Minimization: The purposes 
        for which personal data is collected should be specified at the 
        time of collection, and the subsequent use should be limited to 
        those purposes or others that are specified on each occasion of 
        change of purpose.
          Collection Limitation: Personal health information 
        should only be collected for specified purposes, should be 
        obtained by lawful and fair means and, where possible, with the 
        knowledge or consent of the data subject.
          Use Limitation: Personal data should not be 
        disclosed, made available, or otherwise used for purposes other 
        than those specified.
          Individual Participation and Control:

          Individuals should control access to their personal 
        health information:

          Individuals should be able to obtain from each entity 
        that controls personal health data, information about whether 
        or not the entity has data relating to them.

          Individuals should have the right to:

          Have personal data relating to them communicated 
        within a reasonable time (at an affordable change, if any), and 
        in a form that is readily understandable.
          Be given reasons if a request (as described above) is 
        denied, and to be able to challenge such a denial.
          Challenge data relating to them and have it 
        rectified, completed, or amended.

          Data Integrity and Quality: All personal data 
        collected should be relevant to the purposes for which they are 
        to be used and should be accurate, complete and current.
          Security Safeguards and Controls: Personal data 
        should be protected by reasonable security safeguards against 
        such risks as loss, unauthorized access, destruction, use, 
        modification or disclosure.
          Accountability and Oversight: Entities in control of 
        personal health data must be held accountable for implementing 
        these information practices.
          Remedies: Legal and financial remedies must exist to 
        address any security breaches or privacy violations.

    The HIPAA privacy and security regulations include provisions that 
address each of these categories--but, as discussed in more detail 
below, the rules are insufficient to cover the new and rapidly evolving 
e-health environment. To build consumer trust in e-health systems and 
ensure that health IT and electronic health information exchange move 
forward with sufficient protections for privacy and security, Congress 
should consider: strengthening HIPAA for records kept by traditional 
health system participants; filling gaps in HIPAA's coverage where 
appropriate; and establishing additional legal protections to reach new 
actors in the e-health environment and address the increased migration 
of personal health information out of the traditional medical system.

Strengthening HIPAA Privacy and Security Rules to Meet New Challenges

    The HIPAA privacy and security regulations that took effect in 2003 
reflect elements of a comprehensive framework and provide important 
privacy protections governing access, use and disclosure of personally 
identifiable health information by some entities in the health care 
system. The HIPAA Privacy Rule was a landmark in privacy protection, 
but as noted above, the regulation does not adequately cover the new e-
health environment. For example:

          State and regional health information organizations 
        or health information exchanges (also known as RHIOs or HIEs), 
        which may aggregate and facilitate exchange of personal health 
        information, are often not covered by HIPAA privacy and 
        security regulations. Personal health records and other 
        consumer access services now being created by third parties, 
        including companies such as Google and Microsoft, as well as by 
        employers usually fall outside of the HIPAA rules.
          Personal health data is migrating onto the Internet 
        through an exploding array of health information sites, online 
        support groups, and other on-line health tools, regulated only 
        through enforcement by the Federal Trade Commission (FTC) of 
        the general prohibition against unfair and deceptive trade 
        practices, such as a failure to follow promised privacy 
        policies.
          HIPAA has never required that patients receive notice 
        when their personal heath information is inappropriately 
        accessed or disclosed.
          While the Privacy Rule includes criteria for de-
        identifying data, new technologies are making it much easier to 
        re-identify once de-identified health information and to 
        combine it with personal information in other databases, making 
        it more likely that sensitive health information will be 
        available to unauthorized recipients for uses that have nothing 
        to do with treatment or payment.
          The HIPAA rules have never been adequately enforced. 
        The Office for Civil Rights (OCR) in the U.S. Department of 
        Health and Human Services (HHS), charged with enforcing HIPAA, 
        has not levied a single penalty against a HIPAA-covered entity 
        in the nearly five years since the rules were implemented, even 
        though that office has found numerous violations of the 
        rules.\12\
---------------------------------------------------------------------------
    \12\ ``Effectiveness of medical privacy law is questioned,'' 
Richard Alonso-Zaldivar, Los Angeles Times (April 9, 2008) http://
www.latimes.com/business/la-na-privacy9apr09,0,5722394.story.

    Historically, states have filled the gaps in federal health privacy 
laws by enacting legislation that provides stronger privacy and 
security protections for sensitive data, such as mental health and 
genetic information. The states continue to have an important role to 
play, but relying on the states to fill deficiencies in HIPAA's Privacy 
Rule--or to regulate entities outside of the traditional healthcare 
sphere--does not provide a comprehensive, baseline solution that gives 
all Americans adequate privacy and security protections, and does not 
offer all the entities in the e-health space a predictable and 
consistent policy environment.
    Although it is desirable for Congress to enact legislation that 
fills some of the gaps in HIPAA and to enact a general privacy and 
security framework to govern health IT, we caution against a ``one-
size-fits all'' approach that treats all actors that hold personal 
health information the same. The complexity and diversity of entities 
connected through health information exchange, and their very different 
roles and different relationships to consumers, will often require 
precisely tailored policy solutions that are context and role-based and 
flexible enough to both encourage and respond to innovation. For 
example, it makes little sense to have the same set of rules for 
``personal health records,'' which are often created by and controlled 
by patients and held by third party data stewards outside the 
healthcare system, and for ``electronic health records,'' which are 
created and controlled by health care providers for purposes of 
treatment and care management. To take another example, rules for use 
of personal health information for treatment need to be quite different 
than rules for marketing or other secondary uses. Rules regarding use 
of health information for research need to be separately considered as 
well. Therefore, a second major challenge for Congress is to decide 
what can be legislated and what must be delegated to agency 
rulemaking--and what areas are best left to be developed and enforced 
through industry best practices.
    Below we discuss in detail two critical areas that we do believe 
need attention from Congress: establishing privacy protections for 
personal health records offered by entities not currently covered by 
HIPAA and strengthening HIPAA enforcement. But CDT also recommends 
Congress address the following, either through express legislation 
language or by tasking HHS to modify the HIPAA privacy and security 
rules (or a combination of both approaches):

          Clarify how the new entities that facilitate the 
        electronic exchange of personal health information--including 
        HIEs (Health Information Exchanges), RHIOs (Regional Health 
        Information Organizations), and E-Prescribing Gateways--are 
        covered by HIPAA (for example, by making them HIPAA covered 
        entities or requiring them to have business associate 
        agreements with the entities that exchange health information 
        through them).
          Establish a federal right for patients to be notified 
        in the event of a breach of identifiable health information.
          Tighten the definition of ``marketing'' in the HIPAA 
        privacy rules to make clear that covered entities cannot use a 
        patient's protected health information to send a communication 
        recommending a product or service without that patient's prior 
        authorization.
          Make clear that when entities use electronic medical 
        records, their patients have the right to receive an electronic 
        copy of their health information, and establish a right for 
        patients to monitor who has accessed their health information 
        through audit trails.
          Ensure that covered entities holding protected health 
        information access, use, and disclose only the minimum 
        necessary amount of information when engaging in activities 
        related to payment and health care operations \13\ and require 
        entities to use information stripped of common patient 
        identifiers when it is possible to do so and still accomplish 
        the legitimate purpose for which the information was 
        accessed.\14\
---------------------------------------------------------------------------
    \13\ See 45 C.F.R. 164.501 for a definition of ``health care 
operations.''
    \14\ For example, HIPAA rules provide for the use of a limited data 
set--information stripped of certain patient identifiers--for certain 
purposes, but its use is neither required nor expressly encouraged. See 
45 C.F.R. 164.514(e).
---------------------------------------------------------------------------
          Explore whether the current HIPAA de-identification 
        standard--now five years old--needs to be updated given the 
        increased public availability of data on-line and the possible 
        greater potential for re-identification of de-identified data.

Establishing Privacy Protections for Personal Health Records

    Personal health records and other similar consumer access services 
and tools now being created by Internet companies such as Google and 
Microsoft, as well as by employers, will not be covered by the HIPAA 
regulations unless they are being offered to consumers by covered 
entities. In this unregulated arena, consumer privacy will be protected 
only by the PHR offeror's privacy and security policies (and 
potentially under certain state laws that apply to uses and disclosures 
of certain types of health information), and if these policies are 
violated, the Federal Trade Commission (FTC) may bring an action 
against a company for failure to abide by its privacy policies. The 
policies of PHR vendors range from very good to seriously 
deficient.\15\ The absence of any clear limits on how these entities 
can access, use and disclose information is alarming--and has motivated 
some to suggest extending the HIPAA Privacy Rule to cover PHRs. But we 
believe that the Privacy Rule, which was designed to set the parameters 
for use of information by traditional health care entities, would not 
provide adequate protection for PHRs and may do more harm than good in 
its current scope. Further, it may not be appropriate for HHS, which 
has no experience regulating entities outside of the health care arena, 
to take the lead in enforcing consumer rights and protections with 
respect to PHRs.
---------------------------------------------------------------------------
    \15\ The HHS Office of the National Coordinator commissioned a 
study in early 2007 of the policies of over 30 PHR vendors and found 
that none covered all of the typical criteria found in privacy policy. 
For example, only two policies described what would happen to the data 
if the vendor were sold or went out of business, and only one had a 
policy with respect to accounts closed down by the consumer.
---------------------------------------------------------------------------
    We believe tasking HHS and FTC with jointly developing 
recommendations for privacy and security requirements for PHRs is the 
right approach for ultimately establishing comprehensive privacy and 
security protections for consumers using these new health tools. For 
PHRs offered by entities that are not part of the traditional health 
care system, it is critical that regulators understand the business 
model behind these products, which will largely rely on advertising 
revenue and partnerships with third-party suppliers of health-related 
products and services. Relying solely on consumer authorization for use 
of information shifts the burden of protecting privacy solely to the 
consumer and puts the bulk of the bargaining power on the side of the 
entity offering the PHR. For consumers to truly trust PHRs--and for 
these tools to flourish as effective mechanisms for engaging more 
consumers in their health care--clear rules are needed regarding 
marketing and commercial uses that will better protect consumers.

Congress Should Also Consider Strengthening HIPAA Enforcement

    When Congress enacted HIPAA in 1996, it included civil and criminal 
penalties for failure to comply with the statute--and these penalties 
applied to the subsequent privacy and security rules implemented years 
later. Unfortunately, the HIPAA rules have never been adequately 
enforced. As noted above, HHS has not levied a single penalty against a 
HIPAA-covered entity in the nearly five years since the rules were 
implemented.\16\ The Justice Department has levied some penalties under 
the criminal provisions of the statute--but a 2005 opinion from DOJ's 
Office of Legal Counsel (OLC) expressly limits the application of the 
criminal provisions to covered entities, forcing prosecutors to turn to 
other laws in order to criminally prosecute certain employees of 
covered entities who have criminally accessed, used or disclosed a 
patient's protected health information.\17\
---------------------------------------------------------------------------
    \16\ Just last week, HHS announced that Seattle-based Providence 
Health & Services agreed to pay $100,000 as part of a settlement of 
multiple violations of the HIPAA regulations. But the press release 
from HHS made clear that this amount was not a civil monetary penalty. 
http://www.hhs.gov/news/press/2008pres/07/20080717a.html.
    \17\ See http://www.americanprogress.org/issues/2005/06/
b743281.html for more information on the OLC memo and the consequences.
---------------------------------------------------------------------------
    A lax enforcement environment sends a message to entities that 
access, use and disclose protected health information that they need 
not devote significant resources to compliance with the rules. Without 
strong enforcement, even the strongest privacy and security protections 
are but an empty promise for consumers. Further, even under the 
existing enforcement regime, there is no ability for consumers whose 
information is accessed or disclosed in violation of HIPAA to seek 
redress or be made whole.
    Below are a number of incremental steps that Congress can take this 
year to improve enforcement of HIPAA.

Accountability for Business Associates

    Under current rules, business associates who access, use and 
disclose protected health information on behalf of covered entities are 
accountable for complying with HIPAA privacy and security regulations 
only through their contracts with covered entities. If the covered 
entity does not take action to enforce the contract, there is no other 
mechanism for ensuring that the business associate complies with the 
applicable rules. Further, HHS can only hold the covered entity 
responsible for the actions of business associates if the entity knew 
of a ``pattern of activity or practice of the business associate that 
constituted a material breach or violation'' of its agreement with the 
covered entity, and the covered entity doesn't take action to cure the 
breach or terminate the contract.\18\ Of interest, if the covered 
entity decides that terminating the contract is ``not feasible,'' the 
covered entity is required to report the problem to the Secretary.\19\ 
But the regulations do not give the Secretary any further authority to 
enforce HIPAA against the business associate or hold the covered entity 
responsible for the violation. Congress should take action to ensure 
that business associates can be held legally accountable for complying 
with HIPAA regulations.
---------------------------------------------------------------------------
    \18\ 45 C.F.R. 164.504(e)(ii).
    \19\ Id.

Strengthening the Statutory Provisions Authorizing Civil and Criminal 
---------------------------------------------------------------------------
        Penalties

    Penalties for Criminal Violations. As noted above, the HIPAA 
statute provides for criminal penalties for intentional violations; but 
a DOJ Office of Legal Counsel Memo expressly limits the application of 
these provisions to covered entities. According to this memo, DOJ 
cannot prosecute employees of covered entities or their business 
associates for intentional violations of HIPAA unless these persons are 
carrying out a specific policy or business practice endorsed by the 
covered entity. Congress should make it clear that penalties can be 
assessed against covered entities, business associates, and their 
employees for violations of HIPAA.
    Civil Monetary Penalties--Part I. The statute prohibits the 
Secretary of HHS from imposing civil monetary penalties if the HIPAA 
violation is ``an offense punishable'' under the criminal provisions of 
the statute.\20\ A reasonable interpretation of this provision is that 
if a HIPAA complaint indicates a possible criminal violation, the 
Secretary of HHS cannot launch a civil investigation or pursue civil 
monetary penalties, even if DOJ decides not to prosecute the case. To 
avoid having the most egregious HIPAA violations go unpunished, 
Congress should act to give the Secretary clear authority to 
investigate and pursue civil monetary penalties unless DOJ decides to 
pursue criminal penalties.
---------------------------------------------------------------------------
    \20\ Section 1176(b)(1) of the Social Security Act.
---------------------------------------------------------------------------
    Civil Monetary Penalties--Part II. The civil penalty provisions of 
the statute envision three types of HIPAA violations: those that the 
entity was not aware of (or could not have been aware of exercising 
reasonable diligence); those due to reasonable cause; and those due to 
willful neglect.\21\ The statute also prohibits the Secretary from 
imposing civil monetary penalties in cases of lack of knowledge or due 
to reasonable cause, unless the entity is unable to correct the 
violation within a 30-day time period (with discretion to extend this 
time period).\22\ The statute also gives the Secretary authority to 
provide compliance assistance to help the covered entity correct a 
violation due to reasonable cause and to waive or reduce a penalty in 
cases of reasonable cause if the penalty would be excessive relative to 
the compliance failure involved.\23\ The statute requires that the 
Secretary impose civil monetary penalties for HIPAA violations; \24\ 
the statute does not give the Secretary discretion to give a covered 
entity a chance to correct the violation or the authority to waive or 
reduce penalties in cases of willful neglect. The HIPAA enforcement 
regulations, however, require the Secretary to first try to informally 
resolve all HIPAA complaints--which means there is never an 
investigation into whether or not the violation rises to the level of 
willful neglect (and thus should be subject to civil monetary 
penalties). Congress should act to clarify that the Secretary must 
investigate all complaints for which a preliminary inquiry into the 
facts indicates possible willful neglect and pursue civil monetary 
penalties in willful neglect cases.
---------------------------------------------------------------------------
    \21\ See Sections 1176(b)(2)-(3) of the Social Security Act.
    \22\ Id.
    \23\ Sections 1176(b)(3)-(4) of the Social Security Act.
    \24\ See Section 1176(a) of the Social Security Act (``. . . The 
Secretary shall impose on any person who violates a provision of this 
part a penalty of not more than $100 for each such violation, except 
that the total amount imposed on the person for all violations of an 
identical requirement or prohibition during a calendar year may not 
exceed $25,000'').

---------------------------------------------------------------------------
Establishing Penalties for Re-identification of De-identified Data

    Health information that is de-identified is not covered by the 
protections of HIPAA. Thus, covered entities can provide de-identified 
data to other persons or entities without regard to the requirements 
regarding access, use and disclosure in the HIPAA regulations, and 
these entities can use this data as they wish, subject only to the 
terms of any applicable contractual requirements (or any state laws 
that might apply). If one of these persons or entities then re-
identifies this data--for example, by using information available in a 
public database--that re-identified information would not be subject to 
HIPAA regulations unless the person or entity holding the data was a 
covered entity. Earlier in this testimony we suggest examining the 
current HIPAA de-identification standard to ensure that it continues to 
provide robust protection for patient-identifiable data. But Congress 
could also protect individual privacy by enacting prohibitions (and 
penalties for) the unauthorized re-identification of de-identified 
data.

Other Ways to Improve Accountability under HIPAA

    A significant shortfall in HIPAA is the absence of any way for the 
consumer whose health information privacy has been violated to pursue 
meaningful recourse and be made whole. CDT believes that a private 
right of action should be part of any enforcement scheme. We recognize 
that providing a private right of action to pursue every HIPAA 
complaint no matter how trivial would be inappropriate and disruptive, 
but Congress should further consider giving consumers some right to 
privately pursue recourse where there are intentional violations of the 
law, or in circumstances of willful neglect. As noted above, the HIPAA 
statute already provides for criminal and civil monetary penalties in 
such cases--but these penalties do not currently go to the consumers 
whose privacy was violated, and as structured may not be sufficient (at 
least with respect to civil penalties) to provide meaningful recourse 
for individuals.
    Structuring an effective private right of action will take careful 
thought and consideration. Given the dwindling number of legislative 
days left in the year and political circumstances, we recognize that it 
is unlikely we can pursue implementing such a right this year. But we 
urge Congress to hold hearings on this issue to begin to develop a 
workable way to ensure that entities covered by HIPAA are directly 
accountable to consumers for the most egregious violations of their 
privacy. In the meantime, the recommendations we set forth above are 
ones that can be put into legislation this year and if implemented will 
greatly improve HIPAA enforcement.
    Congress should also consider authorizing State Attorneys General 
to also enforce HIPAA. The HHS Office of Civil Rights is significantly 
under-resourced, and expressly authorizing state authorities to enforce 
HIPAA puts more hands on the enforcement deck. Currently, only those 
State Attorneys General who expressly have the authority to enforce 
federal law in their state authorizing statutes are able to enforce the 
federal HIPAA provisions. State authorities are able to enforce their 
own state health privacy laws, but in only a handful of states are 
those laws are as comprehensive as HIPAA. Congress should consult with 
State Attorneys General about providing them with express authority to 
enforce HIPAA and consider taking future action in this area 
(particularly if the enforcement ``fixes'' recommended earlier in this 
testimony are not successful in actually improving HIPAA enforcement).

The Appropriate Role of Consumer Consent

    Recently, public debates about how best to protect the 
confidentiality, privacy and security of health information have 
focused almost exclusively on whether patients should be asked to 
authorize all uses of their health information. The ability of 
individuals to have some control over their personal health information 
is important, and a comprehensive privacy and security framework should 
address patient consent.\25\ A number of states have passed laws 
requiring patient authorization to access, use and disclose certain 
sensitive categories of health information, and federal law prohibits 
the disclosure of substance abuse treatment records without express 
patient authorization. HIPAA Privacy Rules currently prohibit the use 
of certain types of information, such as psychotherapy notes, or 
prohibit use of information for certain purposes, such as marketing, 
without express patient authorization, and the Rules provide 
individuals with the right to object to certain uses and disclosures 
(such as in facility directories or to family members). The Rules also 
allow covered entities to give consumers greater rights to restrict 
uses and disclosures of their information. Health information systems 
must be structured in a way that allows these consents to be honored 
and appropriately and securely managed.
---------------------------------------------------------------------------
    \25\ Much more should be done to improve the way in which consent 
options are presented to consumers in the healthcare context. Internet 
technology can help in this regard, making it easier to present short 
notices, layered notices and more granular forms of consent.
---------------------------------------------------------------------------
    But patient authorization is not a panacea, and as appealing as it 
may appear to be in concept, in practice reliance on consent would 
provide weak protection for consumer's health information. If health 
privacy rules fail to address the range of privacy and security issues 
through concrete policies, and instead rely only (or significantly) on 
giving individuals the right to consent to multiple uses and 
disclosures of their personal health information, the result is likely 
to be a system that is less protective of privacy and confidentiality.
    Among other reasons, a consent-based system places most of the 
burden of privacy protection on patients at a time where they may be 
least able to make complicated decisions about use of their health 
data. Most don't read the details of a consent form and those that do 
often do not understand the terms. Many wrongly assume that the 
existence of a ``privacy policy'' means that their personal information 
will not be shared, even when the policy and the accompanying consent 
form say just the opposite.\26\ If mere patient authorization is all 
that is needed to share data with third parties, highly sensitive 
patient information will be disclosed to entities that are completely 
outside the scope of the HIPAA privacy regulation. If consent becomes 
the focus of privacy protection, it is clear that patients will be 
exposed to unregulated and potentially uncontemplated uses--and 
misuses--of their data. Further, if policymakers rely on consent by an 
individual for any particular use of his or her information as the key 
to privacy protection, the healthcare industry will have fewer 
incentives to design systems with stronger privacy and security 
protections.
---------------------------------------------------------------------------
    \26\ See ``Stopping Spyware at the Gate: A User Study of Privacy, 
Notice and Spyware'' (with Nathan Good, Rachna Dhamija, Jens 
Grossklags, Steven Aronovitz, David Thaw and Joseph Konstan), presented 
at the 2005 Symposium on Usable Privacy and Security (SOUPS), also in 
ACM INTERNATIONAL CONFERENCE PROCEEDING SERIES; VOL. 93, PROCEEDINGS OF 
THE 2005 SYMPOSIUM ON USABLE PRIVACY AND SECURITY, Pittsburgh, 
Pennsylvania (2005); 2005 National Consumer Survey; ``Research Report: 
Consumers Fundamentally Misunderstand the Online Advertising 
Marketplace,'' Joseph Turow, Deidre K. Mulligan and Chris Jay 
Hoofnagle, survey conducted by University of Pennsylvania Annenberg 
School for Communications and UC-Berkeley Law School's Samuelson Law, 
Technology and Public Policy Clinic 2007.
---------------------------------------------------------------------------
    In contrast, a comprehensive approach--which puts clear parameters 
around who can access, use and disclose a patient's personal health 
information and for what purposes--puts the principal burden on the 
entities holding this information by placing clear enforceable limits 
on the collection and use of personal health information and backs it 
up with strong enforcement.\27\
---------------------------------------------------------------------------
    \27\ By contrast, a comprehensive approach puts the principal 
burden on the entities holding personal health information to protect 
privacy by placing clear enforceable limits on the collection and use 
of personal health information and backs it up with strong enforcement. 
See Beyond Consumer Consent: Why We Need a Comprehensive Approach to 
Privacy in a Networked World, http://www.cdt.org/healthprivacy/
20080221consentbrief.pdf.

---------------------------------------------------------------------------
Conclusion

    Thank you for the opportunity to present this testimony in support 
of strengthening privacy and security protections for personal health 
information, which will build consumer trust and enable health IT and 
electronic health information exchange to move forward. I would be 
pleased to answer any questions you may have.
    Attachment
                               __________

Comprehensive Privacy and Security: Critical for Health Information 
        Technology Version 1.0--May 2008

    In this paper, CDT calls for the adoption of a comprehensive 
privacy and security framework for protection of health data as 
information technology is increasingly used to support exchange of 
medical records and other health information. CDT believes that privacy 
and security protections will build public trust, which is crucial if 
the benefits of health IT are to be realized. In CDT's view, 
implementation of a comprehensive privacy and security framework will 
require a mix of legislative action, regulation and industry commitment 
and must take into account the complexity of the evolving health 
exchange environment.

Privacy and Security Protections are Critical to Health IT

    Health information technology (health IT) and health information 
exchange can help improve health care quality and efficiency, while 
also empowering consumers to play a greater role in their own care. At 
the federal and state levels, policymakers are pushing initiatives to 
move the health care system more rapidly into the digital age.
    However, health IT initiatives pose heightened risks to privacy. 
Recent breaches of health information underscore that the risks are 
real. At the same time, there is widespread confusion and 
misinterpretation about the scope of current health privacy laws. Some 
are pushing for quick ``fixes'' to try to address the public's privacy 
concerns, but fully resolving these issues requires a comprehensive, 
thoughtful and flexible approach.
    While some persist in positioning privacy as an obstacle to 
achieving the advances that greater use of health IT can bring, it is 
clear that the opposite is true: enhanced privacy and security built 
into health IT systems will bolster consumer trust and confidence and 
spur more rapid adoption of health IT and realization of its potential 
benefits.
    Survey data shows that Americans are well aware of both the 
benefits and the risks of health IT. A large majority of the public 
wants electronic access to their personal health information--both for 
themselves and for their health care providers--because they believe 
such access is likely to increase their quality of care. At the same 
time, people have significant concerns about the privacy of their 
medical records. In a national survey conducted in 2005, 67% of 
respondents were ``somewhat'' or ``very concerned'' about the privacy 
of their personal medical records.\28\ In a 2006 survey, when Americans 
were asked about the benefits of and concerns about online health 
information:
---------------------------------------------------------------------------
    \28\ National Consumer Health Privacy Survey 2005, California 
HealthCare Foundation (November 2005) (2005 National Consumer Survey).

          80% said they are very concerned about identity theft 
        or fraud;
          77% reported being very concerned about their medical 
        information being used for marketing purposes;
          56% were concerned about employers having access to 
        their health information; and
          53% were concerned about insurers gaining access to 
        this information.\29\
---------------------------------------------------------------------------
    \29\ Study by Lake Research Partners and American Viewpoint, 
conducted by the Markle Foundation (November 2006) (2006 Markle 
Foundation Survey).

    Appropriate privacy protections must be incorporated from the 
outset in the design of new health IT systems and policies. It is often 
difficult or impossible to establish effective privacy protections 
retroactively, and restoring public trust that has been significantly 
undermined is much more difficult than building it at the start. Now--
in the early stages of health IT adoption--is the critical window for 
addressing privacy.
    As an Internet policy organization and privacy advocate, CDT brings 
a unique perspective to these issues, based on our experience in 
shaping workable privacy solutions for a networked environment. In this 
paper, we describe why it is necessary that all parties--from 
traditional health care entities and new developers of personal health 
records, to legislators and regulators--address privacy and security in 
health IT systems. We emphasize that all stakeholders need to begin 
immediately to implement and enforce a comprehensive privacy and 
security framework in all of the various tools and processes of health 
IT.

The Consequences of Failing to Act

    Protecting privacy is important not just to avoid harm, but because 
good health care depends on accurate and reliable information.\30\ 
Without appropriate protections for privacy and security in the 
healthcare system, patients will engage in ``privacy-protective'' 
behaviors to avoid having their personal health information used 
inappropriately.\31\ According to a recent poll, one in six adults 
(17%)--representing 38 million persons--say they withhold information 
from their health providers due to worries about how the medical data 
might be disclosed.\32\ Persons who report that they are in fair or 
poor health and racial and ethnic minorities report even higher levels 
of concern about the privacy of their personal medical records and are 
more likely than average to practice privacy-protective behaviors.\33\
---------------------------------------------------------------------------
    \30\ See Janlori Goldman, ``Protecting Privacy To Improve Health 
Care,'' Health Affairs (Nov-Dec, 1998) (Protecting Privacy); Promoting 
Health/Protecting Privacy: A Primer, California Healthcare Foundation 
and Consumers Union (January 1999), http://www.chcf.org/topics/
view.cfm?itemID=12502 (Promoting Health/Protecting Privacy).
    \31\ Protecting Privacy; Promoting Health/Protecting Privacy; 2005 
National Consumer Survey.
    \32\ Harris Interactive Poll #27, March 2007.
    \33\ 2005 National Consumer Survey.
---------------------------------------------------------------------------
    People who engage in privacy-protective behaviors to shield 
themselves from stigma or discrimination often pay out-of-pocket for 
their care; ask doctors to fudge a diagnosis; switch doctors frequently 
to avoid having all of their records in one location; lie; or even 
avoid seeking care altogether.\34\ The consequences are significant--
for the individual, for the medical community, and for public health:
---------------------------------------------------------------------------
    \34\ Protecting Privacy; 2005 National Consumer Survey; Promoting 
Health/Protecting Privacy.

          The quality of care these patients receive may 
        suffer;
          Their health care providers' ability to diagnose and 
        treat them accurately may be impaired;
          The cost of care escalates as conditions are treated 
        at a more advanced stage and in some cases may spread to 
        others; and
          Research, public health, and quality initiatives may 
        be undermined, as the data in patient medical records is 
        incomplete or inaccurate.\35\
---------------------------------------------------------------------------
    \35\ Id.

---------------------------------------------------------------------------
Health IT Can Protect Privacy--But Magnifies Risks


    Health IT has a greater capacity to protect sensitive personal 
health information than is the case now with paper records. For 
example, it is often impossible to tell whether someone has 
inappropriately accessed a paper record. By contrast, technologies, 
including strong user authentication and audit trails, can be employed 
to limit and track access to electronic health information 
automatically. Electronic health information networks can be designed 
to facilitate data sharing for appropriate purposes without needing to 
create large, centralized databases of sensitive information that can 
be vulnerable to security breaches. Encryption can help ensure that 
sensitive data is not accessed when a system has been breached. Privacy 
and security policies and practices are not 100% tamperproof, but the 
virtual locks and enforcement tools made possible by technology can 
make it more difficult for bad actors to access health information and 
help ensure that, when there is abuse, that the perpetrators will be 
detected and punished.\36\
---------------------------------------------------------------------------
    \36\ See For The Record: Protecting Electronic Health Information, 
Committee on Maintaining Privacy and Security in Health Care 
Applications of the National Information Infrastructure, Computer 
Science and Telecommunications Board, National Research Council 
(National Academy Press, Washington, DC 1997) for a discussion of the 
inability of systems to be 100% tamperproof.
---------------------------------------------------------------------------
    At the same time, the computerization of personal health 
information--in the absence of strong privacy and security safeguards--
magnifies the risk to privacy. As the recent spate of large-scale 
privacy and security breaches demonstrates, serious vulnerabilities 
exist now. Tens of thousands of health records can be accessed or 
disclosed through a single breach. Recent headlines about the theft of 
an NIH laptop loaded with identifiable information about clinical 
research subjects, and the accidental posting of identifiable health 
information on the Internet by a health plan, underscore these 
concerns, and are just two of numerous examples. The cumulative effect 
of these reports of data breaches and inappropriate access to medical 
records, coupled with the lack of enforcement of existing privacy rules 
by federal authorities, deepens consumer distrust in the ability of 
electronic health information systems to provide adequate privacy and 
security protections.\37\
---------------------------------------------------------------------------
    \37\ See http://www.cdt.org/healthprivacy/20080311stories.pdf for 
stories of health privacy breaches and inappropriate uses of personal 
health information.

Elements of a Comprehensive Privacy and Security Framework That Will 
---------------------------------------------------------------------------
        Build Public Trust, Advance Health IT

    A comprehensive privacy and security framework must be implemented 
by all stakeholders engaged in e-health efforts. Such a framework, as 
outlined by the Markle Foundation's Connecting for Health, would:

          Implement core privacy principles;
          Adopt trusted network design characteristics;
          Establish oversight and accountability mechanisms.

    Congress should set the framework for national policy through 
legislation. Ensuring and enforcing adequate protections for privacy 
and security also will require coordinated actions on the part of key 
regulatory agencies, as well as industry best practices. The framework 
should be implemented in part by strengthening the HIPAA Privacy 
Regulation for records kept by the traditional health system 
participants, but also needs to address the increased migration of 
personal health information out of the traditional medical system.
    Notwithstanding the urgent need to address privacy, health 
information policy initiatives--both legislative and administrative--
are moving forward without addressing privacy and security at all, or 
they are taking a piecemeal approach that too narrowly focuses on a 
single activity, such as e-prescribing, or on just one aspect of fair 
information practices, such as the appropriate role of patient consent.
    In developing a comprehensive framework, policymakers, regulators, 
and developers of HIT systems need not start from scratch. A framework 
for HIT and health information exchange already exists, in the form of 
the generally accepted ``fair information practices'' (``FIPS'') that 
have been used to shape policies governing uses of personal information 
in a variety of contexts, most notably the HIPAA Privacy Regulation, 
which established the first federal health privacy framework.\38\ While 
there is no single formulation of the ``FIPs,'' the Common Framework 
developed by the Markle Foundation's Connecting for Health initiative, 
which includes broad representation from across the health care 
industry and patient advocacy organizations, describes the principles 
as follows:
---------------------------------------------------------------------------
    \38\ Other potential sources for policy recommendations include the 
GAO, the National Center for Vital Health Statistics and the National 
Governor's Association State Alliance for eHealth.

          Openness and Transparency: There should be a general 
        policy of openness about developments, practices, and policies 
        with respect to personal data. Individuals should be able to 
        know what information exists about them, the purpose of its 
        use, who can access and use it, and where it resides.
          Purpose Specification and Minimization: The purposes 
        for which personal data is collected should be specified at the 
        time of collection, and the subsequent use should be limited to 
        those purposes or others that are specified on each occasion of 
        change of purpose.
          Collection Limitation: Personal health information 
        should only be collected for specified purposes, should be 
        obtained by lawful and fair means and, where possible, with the 
        knowledge or consent of the data subject.
          Use Limitation: Personal data should not be 
        disclosed, made available, or otherwise used for purposes other 
        than those specified.

          Individual Participation and Control:

          Individuals should control access to their personal 
        health information:

        Sec.  Individuals should be able to obtain from each entity 
        that controls personal health data, information about whether 
        or not the entity has data relating to them.

          Individuals should have the right to:

        Sec.  Have personal data relating to them communicated within a 
        reasonable time (at an affordable change, if any), and in a 
        form that is readily understandable;
        Sec.  Be given reasons if a request (as described above) is 
        denied, and to be able to challenge such a denial:
        Sec.  Challenge data relating to them and have it rectified, 
        completed, or amended.

          Data Integrity and Quality: All personal data 
        collected should be relevant to the purposes for which they are 
        to be used and should be accurate, complete and current.
          Security Safeguards and Controls: Personal data 
        should be protected by reasonable security safeguards against 
        such risks as loss, unauthorized access, destruction, use, 
        modification or disclosure.
          Accountability and Oversight: Entities in control of 
        personal health data must be held accountable for implementing 
        these information practices.
          Remedies: Legal and financial remedies must exist to 
        address any security breaches or privacy violations.

    The Connecting for Health Common Framework also sets forth 
characteristics for network design that can help ensure health 
information privacy and security.\39\ These network design 
characteristics facilitate health information exchange not through 
centralization of data but rather through a ``network of networks.'' 
Such a distributed architecture is more likely to protect information. 
Other key elements of such a system are interoperability and 
flexibility, which support innovation and create opportunities for new 
entrants.
---------------------------------------------------------------------------
    \39\ See www.connectingforhealth.org for more details on the Common 
Framework.

---------------------------------------------------------------------------
The Role of HIPAA in the New Environment

    The federal privacy and security rules that took effect in 2003 
under the Health Insurance Portability and Accountability Act (HIPAA) 
reflect elements of this framework and provide important privacy 
protections governing access, use and disclosure of personally 
identifiable health information by some entities in the health care 
system. The HIPAA Privacy Rule was a landmark in privacy protection, 
but it is widely recognized that the regulation is insufficient to 
adequately cover the new and rapidly evolving e-health environment. For 
example:

          State and regional health information organizations 
        or health information exchanges (also known as RHIOs or HIEs), 
        which may aggregate and facilitate exchange of personal health 
        information, are often not covered by HIPAA's Privacy Rule.
          Personal health records and other consumer access 
        services now being created by third parties, including 
        companies such as Google and Microsoft, as well as by employers 
        usually fall outside of the HIPAA rules.
          Personal health data is migrating onto the Internet 
        through an exploding array of health information sites, online 
        support groups, and other on-line health tools, regulated only 
        through enforcement by the Federal Trade Commission (FTC) of 
        the general prohibition against unfair and deceptive trade 
        practices, such as a failure to follow promised privacy 
        policies.
          While the Privacy Rule includes criteria for de-
        identifying data, new technologies are making it much easier to 
        re-identify once de-identified health information and to 
        combine it with personal information in other databases, making 
        it more likely that sensitive health information will be 
        available to unauthorized recipients for uses that have nothing 
        to do with treatment or payment.

    In addition, the HIPAA rules have never been adequately enforced. 
The HHS Office for Civil Rights (OCR), charged with enforcing HIPAA, 
has not levied a single penalty against a HIPAA-covered entity in the 
nearly five years since the rules were implemented, even though that 
office has found numerous violations of the rules.\40\
---------------------------------------------------------------------------
    \40\ ``Effectiveness of medical privacy law is questioned,'' 
Richard Alonso-Zaldivar, Los Angeles Times (April 9, 2008) http://
www.latimes.com/business/la-na-privacy9apr09,0,5722394.story.
---------------------------------------------------------------------------
    Historically, states have filled the gaps in federal health privacy 
laws by enacting legislation that provides stronger privacy and 
security protections for sensitive data, such as mental health and 
genetic information. The states continue to have an important role to 
play, but relying on the states to fill deficiencies in HIPAA's Privacy 
Rule--or to regulate entities outside of the traditional healthcare 
sphere--does not provide a comprehensive, baseline solution that gives 
all Americans adequate privacy and security protections, and does not 
offer all the entities in the e-health space a predictable and 
consistent policy environment.

National Conversations about Privacy and Security Have Been Too Focused 
        on the Issue of Individual Consent

    The ability of individuals to have some control over their personal 
health information is important, and a comprehensive privacy and 
security framework should address patient consent.\41\ However, consent 
is not a panacea. If health privacy rules fail to address the range of 
privacy and security issues through concrete policies, and instead rely 
only (or significantly) on giving individuals the right to consent to 
multiple uses and disclosures of their personal health information, the 
result is likely to be a system that is less protective of privacy and 
confidentiality.
---------------------------------------------------------------------------
    \41\ Much more should be done to improve the way in which consent 
options are presented to consumers in the healthcare context. Internet 
technology can help in this regard, making it easier to present short 
notices, layered notices and more granular forms of consent.
---------------------------------------------------------------------------
    Among other reasons, a consent-based system places most of the 
burden of privacy protection on patients at a time where they may be 
least able to make complicated decisions about use of their health 
data. Most don't read the details of a consent form and those that do 
often do not understand the terms. Many wrongly assume that the 
existence of a ``privacy policy'' means that their personal information 
will not be shared, even when the policy and the accompanying consent 
form say just the opposite.\42\ If mere patient authorization is all 
that is needed to share data with third parties, highly sensitive 
patient information will be disclosed to entities that are completely 
outside the scope of the HIPAA privacy regulation. If consent becomes 
the focus of privacy protection, it is clear that patients will be 
exposed to unregulated and potentially uncontemplated uses--and misuses 
of their data. Further, if reliance on consent by an individual for any 
particular use of his or her information is treated by policymakers as 
the key to privacy protection, the healthcare industry will have fewer 
incentives to design systems with stronger privacy and security 
protections.\43\
---------------------------------------------------------------------------
    \42\ See ``Stopping Spyware at the Gate: A User Study of Privacy, 
Notice and Spyware`` (with Nathan Good, Rachna Dhamija, Jens 
Grossklags, Steven Aronovitz, David Thaw and Joseph Konstan), presented 
at the 2005 Symposium on Usable Privacy and Security (SOUPS), also in 
ACM INTERNATIONAL CONFERENCE PROCEEDING SERIES; VOL. 93, PROCEEDINGS OF 
THE 2005 SYMPOSIUM ON USABLE PRIVACY AND SECURITY, Pittsburgh, 
Pennsylvania (2005); 2005 National Consumer Survey; ``Research Report: 
Consumers Fundamentally Misunderstand the Online Advertising 
Marketplace,'' Joseph Turow, Deidre K. Mulligan and Chris Jay 
Hoofnagle, Survey conducted by University of Pennsylvania Annenberg 
School for Communications and UC-Berkeley Law School's Samuelson Law, 
Technology and Public Policy Clinic 2007.
    \43\ By contrast, a comprehensive approach puts the principal 
burden on the entities holding personal health information to protect 
privacy by placing clear enforceable limits on the collection and use 
of personal health information and backs it up with strong enforcement. 
See Beyond Consumer Consent: Why we need a Comprehensive Approach to 
Privacy in a Networked World, http://www.cdt.org/healthprivacy/
20080221consentbrief.pdf.

All Entities Should Adopt and Implement a Comprehensive Privacy and 
---------------------------------------------------------------------------
        Security Framework

    Regardless of whether or not Congress takes action to address these 
issues, states and entities developing health information exchanges and 
other health IT initiatives should commit to adoption of the 
comprehensive privacy framework outlined here. Guidance for policy 
development for health information exchanges can be found, for example, 
in the Common Framework developed by the Markle Foundation's Connecting 
for Health Project. Consumer access services such as PHRs must also 
implement the comprehensive framework through rigorous privacy and 
security protections.\44\ Such entities should make their privacy 
commitment explicit in a published privacy notice. Consumers should 
look for these promises and should measure them against the framework. 
Once companies make a privacy promise, they will be bound to it under 
the Federal Trade Commission Act. In addition, consumer rating services 
can compare and assess privacy practices, measuring them against the 
principles outlined here.
---------------------------------------------------------------------------
    \44\ See, e.g. the Best Practices for Employers offering PHRs 
http://cdt.org/healthprivacy/20071218Best_Practices.pdf.

Congress Should Establish a Comprehensive Health Privacy and Security 
---------------------------------------------------------------------------
        Approach

    Although states and the private sector should not wait for action 
by Congress to protect privacy, CDT believes that Congress should 
establish national policy to ensure that health information technology 
and electronic health information exchange is facilitated by strong and 
enforceable privacy and security protections.
    According to recent surveys:

          75% believe the government has a role in establishing 
        rules to protect the privacy and confidentiality of online 
        health information;
          66% say the government has a role in establishing the 
        rules by which businesses and other third parties can have 
        access to personal health information; and
          69% say the government has a role in encouraging 
        doctors and hospitals to make their personal health information 
        available over the Internet in a secure way.\45\
---------------------------------------------------------------------------
    \45\ 2006 Markle Foundation Survey.

    One of the major challenges in developing a comprehensive privacy 
and security framework is to integrate any new rules with the HIPAA 
privacy and security rules. Congress should consider both strengthening 
HIPAA where appropriate and establishing additional legal protections 
to reach new actors in the e-health environment.
    Congress should set the general rules--the attributes that a 
trusted health information system must have--based on the Fair 
Information Practices discussed earlier. Further, Congress should hold 
a series of hearings on some of the more difficult issues to resolve 
and develop a full record that will serve as the basis for more 
specific legislative action. In particular, Congress should consider:

          The appropriate role for patient consent for 
        different e-health activities;
          The ability of consumers to have understandable 
        information about where and how their Personal Health 
        Information (PHI) is accessed, used, disclosed and stored;
          The right of individuals to view all PHI that is 
        collected about them and be able to correct or remove data that 
        is not timely, accurate, relevant, or complete;
          Limits on the collection, use, disclosure and 
        retention of PHI;
          Requirements with respect to data quality;
          Reasonable security safeguards given advances in 
        affordable security technology;
          Use of PHI for marketing;
          Other secondary uses (or ``reuses'') of health 
        information;
          Responsibilities of ``downstream'' users of PHI;
          Accountability for complying with rules and policies 
        governing access, use, and disclosure, enforcement, and 
        remedies for privacy violations or security breaches; \46\ and
---------------------------------------------------------------------------
    \46\ See the Common Framework, www.connectingforhealth.org.
---------------------------------------------------------------------------
          Uses and safeguards for de-identified information.

Congress Also Should Enact Legislation to Strengthen HIPAA For Health 
        System Entities

    With respect to the access, use and disclosure of electronic health 
information by the traditional players in the health care system, there 
are some immediate steps Congress could take to fill some of the gaps 
in HIPAA. For example, Congress can take a number of actions to secure 
more meaningful enforcement of the HIPAA rules, including:

          Strengthening Office for Civil Right's (OCR's) role 
        by requiring it to conduct periodic audits of covered entities 
        and their business associates to ensure compliance with the 
        rules;
          Increasing the penalties associated with failure to 
        comply with key provisions of the HIPAA rules;
          Increasing resources dedicated to HIPAA enforcement;
          Requiring OCR to report to Congress on a regular 
        basis on enforcement of the rules; and
          Amending HIPAA to allow for enforcement of the rule 
        by state authorities (such as attorneys general).

    Congress should also consider enacting legislative provisions to:

          Establish notification requirements and penalties for 
        data breaches;
          Strengthen the existing HIPAA rules requiring express 
        authorization for use of patient identifiable data for 
        marketing; and
          Require electronic health systems to provide 
        consumers with access to their health information in an 
        electronic format.

    Although it is desirable for Congress to enact legislation that 
fills some of the gaps in HIPAA and to enact a general privacy and 
security framework to govern health IT, it will be impossible for 
Congress to legislatively adopt comprehensive rules that fit all of the 
various actors and business models in the rapidly expanding and 
evolving e-health environment. Therefore, a second major challenge for 
Congress is to decide what can be legislated and what must be delegated 
to agency rulemaking--and what areas are best left to be developed and 
enforced through industry best practices.

Strengthening Privacy and Security Will Also Require a More Tailored 
        Regulatory Approach

    While Congress should establish a strong framework for health 
privacy and security, it must avoid a ``one size fits all '' approach 
that treats all actors that hold personal health information the same. 
The complexity and diversity of entities connected through health 
information exchange, and their very different roles and different 
relationships to consumers, require precisely tailored policy solutions 
that are context and role-based and flexible enough to both encourage 
and respond to innovation. For example, it makes little sense to have 
the same set of rules for ``personal health records,'' which are often 
created by and controlled by patients and held by third party data 
stewards outside the healthcare system, and for ``electronic health 
records,'' which are created and controlled by health care providers 
for purposes of treatment and care management. To take another example, 
rules for use of personal health information for treatment need to be 
quite different than rules for marketing or other secondary uses. Rules 
regarding use of health information for research need to be separately 
considered as well.
    Congress should not attempt to develop all of the details in 
legislation. Rather, Congress should enact legislation specifically 
recognizing the importance of the privacy rights in health information 
across technology platforms and business models, setting out principles 
and attributes to guide one or more regulatory agencies in developing 
detailed, context-specific rules for the range of entities that 
collect, use and distribute personal health information in the new 
interconnected healthcare system. One approach would be to direct the 
Department of Health and Human Services to strengthen the HIPAA 
regulations that apply to traditional players in the health system, 
while also directing HHS or possibly the Federal Trade Commission to 
issue regulations to govern the handling of personal health information 
by new players who are part of the broader Internet marketplace and not 
part of the healthcare system. If more than one agency is to be 
involved, Congress could require them to work together to avoid issuing 
conflicting rules (as the financial services regulatory agencies did in 
developing security rules for financial information).
    Tasking HHS and/or the FTC with the responsibility for developing 
detailed regulations allows for:

          A more tailored, flexible approach that will ensure 
        comprehensive privacy and security protections in a myriad of 
        different e-health environments, and
          More regular, active monitoring of developments in 
        the marketplace and a more rapid response to newly emerging 
        privacy and security issues.

    Congress should maintain strong oversight over the regulatory 
process by:

          Requiring regulations to be developed within a 
        particular timeframe;
          Requiring satisfactory completion of the rulemaking 
        before federal HIT grants can be made;
          Mandating reporting by the agencies on implementation 
        and enforcement; and
          Vigorous oversight and reporting on implementation 
        and enforcement.

Conclusion

    To establish greater public trust in HIT and health information 
exchange systems, and thereby facilitate adoption of these new 
technologies, a comprehensive privacy and security framework must be in 
place. From traditional health entities to new developers of consumer-
oriented health IT products to policymakers, all have an important role 
to play in ensuring a comprehensive privacy and security framework for 
the e-health environment. Congress should set the framework for privacy 
and security by strengthening enforcement of existing law and ensuring 
that all holders of personal health information are subject to a 
comprehensive privacy framework. Congress can also take immediate steps 
to strengthen existing privacy rules, for example, empowering consumers 
to play a greater role in their healthcare by mandating electronic 
access to their health records. Given the broad array of entities in 
the e-health arena, the technological changes in the marketplace today, 
and the prospects for rapid innovation, much of the details of that 
framework should be worked out through the regulatory process. The 
challenge for policymakers is to find the right mix of statutory 
direction, regulatory implementation, and industry best practices to 
build trust in e-health systems and enable the widespread adoption of 
health IT.
    For more information please contact: Deven McGraw, Director, CDT's 
Health Privacy Project, 202-637-9800 http://www.cdt.org.

                                 

    Chairman STARK. Thank you.
    Dr. King.

STATEMENT OF MATTHEW KING, M.D., CHIEF MEDICAL OFFICER, CLINICA 
               ADELANTE, INC., SURPRISE, ARIZONA

    Dr. KING. Yes. Thank you, Chairman Stark and Ranking--Mr. 
Camp, and the rest of the Subcommittee Members. I am the chief 
medical officer of Clinica Adelante, which is a medium-sized 
community health center, which is located in Phoenix, Arizona. 
We have seven sites and a mobile clinic that serves remote 
areas of Maricopa County. Our clinic has 26 providers. We have 
32,000 patients and 90,000 encounters a year. About half of our 
patients are uninsured. We wanted an electronic health record 
to help us in improving the quality of care, particularly 
around areas of chronic disease management, and also to help us 
with preventative care management.
    I think the reason why I am here is because we chose an 
open source electronic health solution that was based on the 
Veterans Administration VISTA system. It is called World Vista 
EHR, and it is CCH IT-certified. We chose it for two reasons. 
The first reason was because we believe that open source is a 
very viable paradigm to be used in health information 
technology. The second reason is because a review of the 
medical literature suggested Vista is associated with improved 
patient outcomes. This association is far stronger than with 
any other electronic health system.
    So, open source software allows one to see the source code. 
It is also freely available. So, there is licensing, but the 
license is free. The important points that surround that 
particular paradigm is that innovations can come from many 
sources. World Vista has partnered at times with Veterans 
Administration, Indian Health Service, with private vendors, 
and with other funders to get projects done. Sometimes--many 
times--it's from volunteers. This collaborative development 
compounds the value and effectiveness of investments.
    For us, the idea of no licensing fees up front was very 
good, because it cost less money to come to the table. The 
collaborate leveraging that you did around open source allows 
you to re-use interfaces that are open source that we developed 
with our practice management system and with our lab systems, 
for instance, can be re-used by other community health centers 
and offices, private offices, for just the cost of 
configuration and support.
    Vendor competition in open source is probably the strongest 
reason. As you know, proprietary software basically has what 
they call vendor lock. Once you decide to go with them, you're 
pretty much stuck with them, even if you felt like it was a bad 
deal. It's very hard to walk away. In fact, I would say that 
open source is defined by the ability to have vendor 
competition, so that if I am not getting what I need from my 
vendor, I can walk away from that vendor but not walk away from 
my system. That is very important, I think, and is one of the 
main reasons why we drove to open source.
    The other part was that physicians don't prescribe medicine 
based on what drug representatives tell them. They use an 
evidence-based approach. So, the Institute of Health Care 
Improvement suggests that up to one-third of medical errors can 
be reduced by appropriate application of technology.
    So, I started to wonder if there was an aspirin of EHR's. 
To look for that, what I did was I did a literature research 
and found, hands down, that Vista has the strongest correlation 
between patient outcomes and improvements, and the use of 
electronic software.
    What happened with us is--initially, this is--outcomes and 
cost productivity declined the first week to 50 percent. In 6 
weeks it was back up to 90 percent. We are now at 100 percent 
productivity. We will have one year of production next month.
    All the functionality we hope for, including registry use 
for diabetes and asthma, is functional. We have clinical 
reminders and other--in medication interaction and allergy 
interactions.
    We're very cost conscious. We did this for $19,000, plus 
hardware costs, but that doesn't include my time and hiring a 
trainer, and it's not sustainable. What we believe is that 
sustainable costs would show a savings over proprietary systems 
of 30 to 50 percent, perhaps more if they were deployed in a 
networked environment, which we strongly favor.
    So, in summary, Vista is the aspirin of electronic health 
records. If it were a drug, every provider would prescribe it. 
But, just like generic aspirin, there is no drug 
representatives or lobbyists to sell it. Its effectiveness is 
clearly supported in the literature, but administrators don't 
have time to read the literature, so they listen to the sales 
pitch and lobbyists. In the health care industry, that could 
cost lives.
    I believe we should hold ourselves to the same standard we 
hold physicians, and use the evidence whenever possible to 
evaluate and select technology solutions, not advertising and 
marketing. That's why we chose the electronic health record 
that we chose. Thank you.
    [The prepared statement of Dr. King follows:]

        Prepared Statement of Matthew King, M.D., Chief Medical
           Officer, Clinica Adelante, Inc, Surprise, Arizona

Background

    Clinica Adelante, Inc (CAI) is a Community Health Center located in 
the Phoenix, Arizona area. We have seven sites that serve both urban 
and rural populations and a mobile clinic that serves remote areas of 
Maricopa County. The clinic has 26 providers, including family 
practice, pediatricians, internists, OB/Gyn, mid-levels, and dentists. 
We see about 32,000 individual patients annually and about 90,000 
encounters. 50% of our patients are uninsured, 40% Medicaid, 3% 
Medicare and the rest commercial insurance. We provide sliding fee 
services to those at 200% FPL or below.
    In 2000, I took over as Chief Medical Officer for the clinic. CAI 
was engaged in National Chronic Disease Collaboratives sponsored by 
HRSA. We used Wagoner's Chronic Disease Management Model \1\ to improve 
care for some of our diabetics and asthmatics, which has been 
successful in showing dramatic improvements in chronic disease 
outcomes. The model utilizes patient education, nationally recognized 
treatment guidelines, a rapid process change model known as PDSA cycles 
and a chronic disease registry. The registry is a critical piece of the 
model because it can be used to track the population and also provide a 
means for outreach. However, it is not designed to be used in the exam 
room with the patient, so the patient data needs to be entered manually 
into the registry later. This double entry of data--once in the exam 
room and once in to the registry--is error prone, time consuming and 
costly.
---------------------------------------------------------------------------
    \1\ Rothman AA, Wagner EH. Chronic illness management: what is the 
role of primary care. Ann Intern Med 2003;138: 256-61.
---------------------------------------------------------------------------
    Our desire was to extend the model to everyone that walked into the 
door so that each patient could have their own personal health plan 
based upon their age, sex, risk factors and disease states. However, we 
faced two main challenges. First, because the registries required 
double entry, we estimated that we would need to hire 24 more data 
entry specialists; however, we did not have the funds to do so. Second, 
the time required to do the preventive health would have a negative 
impact on our revenue. We knew that we needed to find an EHR solution 
that was relatively inexpensive and could support data entry into a 
registry without double entry; because it could be used at the point of 
care.

The Search for an EHR Solution

    We started a search for an EHR. The search was disappointing: The 
products were very expensive, between $200,000 to $500,000, and they 
really didn't perform chronic disease management out of the box well 
without expensive customization; and they were deployed in a consumer 
unfriendly environment that included consumer hostile contracts, vendor 
lock, poor interoperability, and a licensing and support structure that 
negated the natural leverage of collaborative networks. Because of my 
prior exposure to Linux and other open source products, I wondered if 
there were open source solutions that would address the clinic's needs.
    I would like to stop for a moment to discuss what Open Source means 
in the context of Health Information Technology (HIT). Open Source 
software allows one to see the source code and is freely available. The 
Open Source license used by organizations such as WorldVistA guarantees 
that not only is the code available to be examined, it is also 
available to be enhanced by the community and the enhancements cannot 
be lost or trapped in a proprietary product for the sole benefit of one 
vendor and its customers. Improvements must be donated back to the 
community of users. Enhancements to the code can come from volunteers, 
vendors, funded projects, IHS, VA, etc. These enhancements are checked 
by experts and only released after review. The important points here 
are that innovations can come from many sources, collaborative 
development compounds the value and effectiveness of investments, and 
the processes are transparent, organized and safe.
    The following is a list of what we perceive through our direct 
experience to be some of the key benefits of the open source model in 
healthcare:

    (1) Software quality and standardization accelerated by 
transparency--The transparency of the code assures better software 
quality and conformance to coding standards and security. Security 
flaws are more likely to be found and quickly addressed, often within 
hours of discovery. Non-conformance with open standards is not 
tolerated by both developers and users.
    (2) Rapid innovation and improvement-The improvement cycle needed 
to keep the software current in response to the dynamically changing 
healthcare environment is much more rapid than in proprietary business 
models.
    (3) Improvement driven by user needs--Enhancements and fixes are 
directly driven by what users need, not by marketing, shareholder or 
other non-healthcare related priorities. Community Health Centers, for 
instance, can drive changes to update their UDS reporting, while a 
proprietary vendor might not have the business case to make the code 
changes.
    (4) Lower total cost of ownership--No licensing fees mean less 
upfront and lower total recurring costs.
    (5) Competition focused on service excellence--Flexible support 
fees mean greater chances to leverage technology. For instance, if 
support fees are fixed by number of servers, not providers, every 
provider assigned to that server will spread the costs over more and 
more users. In the traditional model, every provider added to the 
system will cost another license and more support fees.
    (6) Collaborative leveraging of resources to improve ``products''--
Open source means quality management tools, clinical tools, interfaces, 
training and deployment materials are all shared. Going forward, the 
costs to participate are less and less.
    (7) The ultimate competitive free market economy--Vendor 
competition in open source is not distorted by the effect of vendor 
lock in. Open source prevents vendors from actively and purposefully 
using closed code to maintain their advantage over clients. Vendor 
competition encourages fair support pricing, great customer service and 
innovation. It also provides the consumer with a way out if the vendor 
goes out of business or is not responsive. Open source is a simple 
survival of the fittest business ecosystem which is driven and focused 
by evidence based improvement of both health quality and costs.

    Taken in aggregate, these advantages create strong financial and 
quality incentives to join cooperative networks and collaborate. This 
in turn accelerates improvement of safety and quality through best 
practice sharing and reducing isolated islands of healthcare data.
    Our search for an appropriate EHR led us to VistA in 2000, while 
researching open source alternatives. Unfortunately, at the time it was 
nowhere near ready for easy deployment outside the Veterans 
Administration (VA) so we continued to search for a solid EHR in the 
usual ways, but found the process disappointing. The process is not 
unlike being detailed by a pharmaceutical representative, so I started 
wondering what I could learn by comparing the two. Most physicians 
don't prescribe medicine based upon what the drug representatives tell 
them. Instead they use an evidence-based approach. This is now an 
expectation and considered a standard of care in medicine, because 
evidence-based medicine saves lives. According to the Institute for 
Healthcare Improvement, nearly one third of all medical errors could be 
prevented by applying appropriate technology.\2\ So applying technology 
can save as many lives as prescribing aspirin after a heart attack! I 
began to wonder, is there an aspirin of electronic health records? What 
does the evidence based literature say about EHR and impact on quality? 
Is there one in particular that stands out? Shouldn't applying the 
medical evidence to the choice of HIT be the standard of care since it, 
like aspirin, can potentially save so many lives? What I found in the 
literature shocked me.
---------------------------------------------------------------------------
    \2\ Crossing the Quality Chasm: A New Health System for the 21st 
CenturyCommittee on Quality of Health Care in America, Institute of 
Medicine, Washington, DC, USA: National Academies Press; 2001.
---------------------------------------------------------------------------
    It turns out that a search of the peer reviewed medical literature 
shows that the VA VistA EHR system is one of the only EHR systems that 
has been associated with improved outcomes. By contrast, the literature 
says almost nothing about proprietary systems and outcomes. Moreover, 
VA's costs only went up 0.8% between 1995 and 2004, while Medicare 
costs increased by over 40%. \3\
---------------------------------------------------------------------------
    \3\ Robert A. Petzel, Director, Veterans Integrated Services 
Network 23, Compelled to Act: it's called survival, Powerpoint 
presentation, slide 14, available at http://www.amq.ca/congres2006/pdf/
Compelled_to_Act-Robert_Petzel.pdf.
---------------------------------------------------------------------------
    Once we understood the role of VistA in the VA's transformation and 
performance our search was over. In addition we also became aware of 
the CMS VistA Office EHR initiative, the WorldVistA not-for-profit and 
the efforts to adapt VistA for use outside the VA. This work would 
ultimately lead to WorldVistA providing a CCHIT version (WorldVistA 
EHR) licensed under an open source software license. The only open 
source EHR to achieve CCHIT certification is WorldVistA. . . . Suddenly 
the advantages of the open source model would be available using a 
CCHIT certified VistA clone!

Clinica Adelante's WorldVistA EHR Implementation Strategy

    So after applying evidence-based studies and recognizing the 
importance of an open source model in healthcare, we chose WorldVistA 
to do a demonstration project. We developed a relationship with 
WorldVistA and became a development site during the CMS project. A key 
contribution our site made was to pilot a full open source platform 
which included the open source operating system Linux, and the open 
source database GT.M to further cut licensing costs.
    We leveraged and made use of the extensive resources and 
documentation which the VA makes available through a number of public 
web sites such as the VistA University training materials. Other 
examples of leveraging the open source model include:

          modifying an installation checklist found on the VA 
        documentation website for our use to direct our installation 
        efforts
          developing an open source interface to our practice 
        management system (PMS) for registration and scheduling
          integrating test ordering and results reporting with 
        our external reference lab; our providers order labs in 
        WorldVistA EHR and the results return as discrete data directly 
        into WorldVistA EHR
          development of chronic disease registries that allow 
        data to be entered at point of care and reported in many forms 
        including a HIPAA-stripped form for uploading to state and 
        national chronic disease databases
          implementation of real time drug order checks, 
        automated clinical reminders and automated provider alerts
          development of pediatric templates, including state 
        approved EPSDT forms

    We formed four teams, using our staff and external consultants to 
help with the work and build buy in, including our key stakeholders 
early in the process. We hired a clinician to a training role and hired 
trainers to train him. The preparation phase took 8 months and we went 
live August 10, 2007 in Surprise, AZ at our busiest clinic.

Outcomes and Costs

    Initially, as with any intervention of this magnitude productivity 
declined . . . in our case to 50% of our usual level in the first week, 
but it recovered to 85-90% in six weeks. We are now at 100% 
productivity at our first site. Our referrals department can now do 10-
15 referrals per hour, compared to only 6 per hour before 
implementation. We don't lose medical records any more and they are 
always available for the patient visit when we need them. We lost no 
staff or providers as a result of the project. Staff immediately loved 
the system, but the providers only tolerated it at first. Now, no 
provider desires to return to the old way or to paper charts.
    Our registry functions also appear to be very successful. We now 
have two registries--one for diabetes and another for asthma--
configured. Now 100% of qualified patients are selected automatically 
for entry by the computer. This will allow planned care to be scaleable 
to 100% of our patients without hiring extra data entry specialists. We 
will be able to provide outreach and improved chronic disease 
management to a much larger population of patients. For instance, when 
we used the registry that required double entry, we were only able to 
use Wagoner's model on about 800 diabetics. Now we can use it on all of 
our patients with Diabetes. That is over 3000 diabetic patients. We 
will also be able to extend the Chronic Disease Model to other types of 
chronic disease, like depression, coronary artery disease and 
hypertension. Eventually, we hope to give every patient their own 
personal health plan, using the VistA registry technology.
    We were very cost conscious with the first implementation. We had 
no special grants. Our development costs were approximately $19,000 
dollars, plus hardware costs. This does not include the salary of the 
trainer. Nor does it include lost revenue from staff meetings and 
lowered productivity, or my time as project leader. To achieve this, I 
spent most of my administrative time, evening and weekends working on 
the project. It is doubtful that others can expect to achieve what we 
did with the same budget, nor should it be so difficult to do the 
``right thing'' by patients.
    Since the demonstration project, we have also implemented our EHR 
at another site and also with the (mobile) rural health team. We are 
developing a 16 week implementation cycle that can be staggered to 
allow two implementations in different phases. We have started a 
network with two other community health centers and a small safety net 
non-federally qualified clinic. Although the demonstration project 
allowed us to show clinical success and estimate reduced costs compared 
to proprietary systems, the project has stalled without more funding. 
Our analysis of sustainable costs show a savings of 30 to 50% over 
proprietary systems, perhaps more as the network grows larger. Even so, 
this cost remains out of reach for most offices. Ultimately, we view 
the EHR as a tool to reduce medical errors, improve patient care and 
stabilize the costs of healthcare. Developing these strategies is 
possible with systems like WorldVistA EHR, but are unlikely to co-
evolve on their own. Proper planning, adequate funding and well 
designed incentives are all necessary to drive projects like these 
forward. In fact, without more funding, we will not be able implement 
WorldVistA EHR across all our network sites. This network represents a 
quarter of a million patient visits a year--that is a lot of patients 
who we could be reaching and whose care we could be improving with 
health IT but which we cannot, because of lack of funding.
    Based on our practical experience, our view is that VistA is hands 
down the best system available, is the only solution backed by solid 
scientific evidence to prove it, and costs 50-70% of the costs of 
comparable proprietary systems. The fact that it is open source and was 
developed by with taxpayers' money makes it a logical and very 
affordable choice for a large segment of the US health system.

Health Improvement through health IT and the need for incentives

    Health improvement through health information technology is a tough 
sell to providers in general because it temporarily affects 
productivity as providers learn how to use the system. Moreover, any 
cost savings (like less ER visits because of better control of asthma) 
are realized downstream from the user and tend to accrue largely to the 
patient and the health care purchaser. Incentives are a very powerful 
tool to effect change that successful businesses use all the time. In 
this context, it is the fastest way to increase the rate of provider 
adoption for health IT.
    Incentives certainly could increase the rate of adoption, but just 
giving incentives for EHR acquisition will not improve quality. 
Incentives must be tied to quality improvement or reporting clinical 
measures to have the desired effect. Connecting offices through 
networks tasked with quality improvement would work. The most 
innovative approach would be to move completely away from volume based 
reimbursement to value based pay. Pay for performance is a step in the 
right direction, but still relies on volume.
    However, it is important to note that quality incentives need an 
adequate HIT infrastructure with enough connectivity and sufficient 
granularity to report clinical measures at the provider level. This is 
why as a first step, I believe it is important that provider incentives 
be tied to the adoption of EHR systems. I believe further that EHR 
systems should support these important clinical and quality reporting 
functions.
    In addition, a provider might need time and support to get used to 
the system and learn to use it effectively. This is why I believe 
provider incentives should encourage network membership. Networks are 
better prepared than small offices--much less solo practitioners 
working on their own--to evaluate EHRs for the necessary functions, 
have the capital to customize them as needed and the expertise to 
deploy them, secure them and support them. Networks can also better 
connect with existing HIE, Medicaid transformation grant projects, labs 
and other ancillary services, etc. Provider support and clinical 
improvement will be greater with network formation and will also 
achieve the goals of better connectivity and improved quality.

Myths about VistA and open source applications

    Before I conclude, I want to dispel the many myths floating out 
there about the VistA system and open source applications in general.
    Myth #1: the M coding language is too old to be used in a modern 
healthcare system. This is false and most large proprietary healthcare 
vendors, Epic for example, use it. There are many innovations taking 
place outside the VA right now that show the robust and flexible nature 
of the M based code.
    Myth #2: Open source is unfair in a competitive market. Open source 
stimulates competition unlike proprietary systems whose goal is to lock 
in users and monopolize the market. Proprietary systems are only in a 
competitive market until the client signs on the contract line. Then 
the relationship becomes very lopsided. I have been to many Health 
Information Conferences and have listened to the best speakers. They 
always say deciding on a healthcare vendor is like getting married, 
because it will be a long-term relationship. It is very difficult to 
change vendors because of vendor lock. Then they talk in the remaining 
hour about all the ``pre-nuptials'' you must get because you can't 
trust any of the vendors. Open source has competition at multiple 
levels, but primarily on support services and training which are the 
most important factors in successful and sustainable adoption of a 
solution. In the case of WorldVistA EHR both large and small companies 
can compete against each other with the same a high quality, CCHIT 
system. Large companies are definitely interested, too. For instance, a 
major US systems integrator has just won the contract to provide all of 
Jordan's public health system (46 hospitals, 500 clinics) with the 
WorldVistA EHR. With open source vendor competition, you reduce price, 
eliminate vendor lock and improve customer service. Open source is a 
true free market.
    Myth #3: The VA code is too expensive to maintain. VistA, under the 
open source model has flourished. Clinica Adelante was able to fund an 
extraordinary amount of customization for a moderate amount of money. 
Moreover, these enhancements are available for other offices for the 
price of configuration and support. Some of the code done by WorldVistA 
has found its way back into the VA system. There is an extraordinary 
opportunity for governmental agencies like the VA and Indian Health 
Service to work with private businesses and not for profits to further 
their missions.
    Myth #4: Open source applications are more vulnerable to security 
breaches. Because open source code is transparent, there is a myth that 
it is insecure. This has not proved true at all. Breaches are often a 
result of poor coding practices. The transparency of the code demands 
that peers code to the highest levels. Moreover, it is scrutinized by 
expert before it is released. The result is clear: Nobody runs anti-
viral software on (open source) Linux, nor do they need to. Everybody 
runs anti-viral on Windows (closed code) and they would be crazy not 
to. Moreover, with so many eyes looking at the code, more security 
flaws are found before breach and more quickly corrected, often within 
hours.

VistA is the aspirin of EHRs

    VistA is the aspirin of EHRs and if it was a drug, every provider 
would prescribe it. But just like generic aspirin, there are no ``drug 
representatives'' or lobbyists to sell it. Its effectiveness is clearly 
supported in the literature, but administrators don't have time to read 
the literature. So they listen to the sales pitch and the lobbyists. In 
the healthcare industry, that could cost lives. In healthcare, when 
lives are at stake, I believe we should hold ourselves to the same 
standard we hold our physicians and use the evidence whenever possible 
to evaluate and select technology solutions . . . not advertising or 
marketing hype. And that is why Clinica Adelante chose VistA EHR.

                                 

    Chairman STARK. Thank you.
    Mr. Jones.

      STATEMENT OF LEROY JONES, GSI HEALTH, PHILADELPHIA, 
                          PENNSYLVANIA

    Mr. JONES. Thank you, Mr. Chairman. My name is Lee Jones. I 
am the founder and chief executive of a company called GSI 
Health. It's a health IT consultancy based in Philadelphia. In 
that capacity, I am involved in a number of industry and 
government-sponsored initiatives to bring about large scale 
interoperability among health care applications and 
enterprises.
    One role I currently hold is as senior advisor and 
architect for the New York e-Health Collaborative, which is 
building a statewide health information exchange, and has 
invested in excess of $100 million thus far to do so.
    I am also the program director of the health information 
technology standards panel, which--sounds as though many of you 
are already familiar with. It's a Member organization that has 
over 400 organizations from various corners of the health care 
industry who have come together to select standards for 
interoperability. I am grateful for the opportunity to testify 
before you today.
    As you noted, consumers in today's global economy have 
become accustomed to instant access to information, and have 
hit a speed bump, if you will, on the information super highway 
when it comes to their medical records. It's not as though the 
information doesn't exist. There is certainly electronic 
representations of clinical records and administrative records. 
But often they are not able to be brought to bear at the time 
and place that they are needed.
    So, I have come to say today that that is changing. As you 
noted, Mr. Chairman, the Department of Health and Human 
Services has established several different initiatives in order 
to move this ball forward. They established American Health 
Information Community, which is a group of 18 government and 
business non-profit organization leaders fostering the adoption 
of interoperable electronic health records throughout the 
country.
    In order to meet the community's objectives, there is also 
the office of national coordinator, which really is the 
implementation arm of what the community tries to do. The 
national coordinator has funded several initiatives which are 
well known at this point, and I will just name, so that we can 
get to my larger point.
    The first is to harmonize all the electronic standards for 
health care in the country. The health information technology 
standards panel, which I am involved with directly, identifies 
and selects the necessary standards that will bring about an 
interoperable exchange of health care data. The panel then 
develops further guidance that we call interoperability specs, 
which really give instructions for different vendors to build 
independent ``instantiations'' of software that will, when 
brought together, be interoperable with one another.
    So, without collusion, different vendors are able to be 
interoperable, and have some guarantee of interoperability. 
That's sort of the intention of the standard selection process.
    The second key initiative is to ensure that the electronic 
medical record, or the electronic health record, has a proper 
floor functionality, that it can be defined, if you will, and 
that there is a place that one can go to in order to verify 
correct implementation of health care standards.
    So, the certification commission for health information 
technology does exist for that purpose. So, it is not enough to 
say these are the standards that one should adhere to. We have 
to have a system that allows the verification that a vendor, in 
fact, used those standards and used them correctly, so that we 
can ensure interoperability.
    The third key initiative is to catalog all of the privacy 
and security paradigms that exist in different jurisdictions 
because, as we know, that is often a great barrier to 
interoperability, and there isn't a clear cut silver bullet 
solution to solving how we reconcile those differences.
    So, the first step is at least to understand what those 
differences are, so that we can begin to understand how they 
might be harmonized. So, the health information security and 
privacy collaboration has been started by the Department of 
Health and Human Services to catalog those, and has spurred 
many efforts to remove key barriers to interoperability.
    Then, last, there is an initiative to establish a real 
health information exchange network, which both demonstrates 
feasibility of implementing interoperability standards in an 
effective way, as well as propagates their use broadly by 
connecting real systems to each other. So the Nationwide Health 
Information Network, or NHIN, as it's sometimes referred to, 
orchestrates implementation of interoperable standards within 
the context of real world health delivery environments across 
different regions in the country.
    These efforts have now been established, and are 
complementary, and are coordinated as one system. They have 
established a dominant design whereby interoperability will 
continue to be achieved in an ongoing fashion, whereas no such 
systems existed like that prior to AHIC and ONC's 
establishment.
    We now have an accepted system in place to harmonize and 
advance appropriate standards. We now have an accepted system 
in place to verify correct implementation of those standards. 
We now have an accepted system in place to catalog our privacy 
and security differences. We now have an accepted system in 
place to identify and ultimately remove barriers posed by these 
different aspects.
    Over the past few years, these initiatives have 
demonstrated that it matters how the Federal Government 
participates, and not just that it participates. So, leveraging 
the familiar paradigm of consensus-based development, we have 
found that when people come together and are partly owners of 
the solution, as opposed to having solutions foisted upon them, 
they actually are more receptive and likely to do a good job in 
implementation.
    I think that the question before us is one of both supply 
and demand. On the demand side, there are many incentives that 
can be brought to bear in order to bring about--or to 
incentivize people to adopt technology. But demand increasing 
will increase supply in the market. However, we don't just want 
an increase in supply, we want the supply to increase in a way 
that fosters interoperability. So that requires coordination.
    So, what we have been focused on is trying to coordinate 
the supply side of this, so that when that demand is increased 
through incentives and other things, we are able to, in fact, 
supply that in an interoperable way. I thank you.
    [The prepared statement of Mr. Jones follows:]

     Prepared Statement of LeRoy Jones, GSI Health, Philadelphia, 
                              Pennsylvania

    Mr. Chairman and distinguished members of the Subcommittee, my name 
is Lee Jones, and I am the founder of GSI Health, a healthcare 
information technology consultancy. In that capacity, I am involved in 
a number of industry and government-sponsored initiatives to bring 
about large-scale interoperability among healthcare applications and 
enterprises. One effort I currently support is the very important work 
happening in New York State to create shared policies and technical 
protocols for interoperability. This effort has over $100 million 
invested in a statewide collaborative process to develop a standards-
based health information exchange network among a number of regional 
efforts within the state. Additionally, I currently serve as the 
program director of the Healthcare Information Technology Standards 
Panel (HITSP), a volunteer-driven cooperative partnership between the 
public and private sectors that is working to ensure the 
interoperability of electronic health records in the United States. I 
am grateful for the opportunity to testify before you today on the need 
for harmonized electronic data exchange standards and infrastructure to 
empower patients and healthcare providers.

The Current Landscape of Healthcare Information Technology

    Through my years of work in healthcare information technology, I 
know that patients are often treated by doctors with incomplete medical 
information. Patients often do not know their medications, their 
medical history or their latest laboratory results. Patients seek care 
from a wide variety of primary care providers, specialists, hospitals, 
clinics, laboratories, imaging centers and pharmacies--all of which 
have disconnected pieces of their medical record.
    Patients, providers and payers believe that communication among 
caregivers is key to delivering quality, personalized medicine. Many 
think that electronic records shared across the entire community of 
clinicians is key to care coordination.
    According to a national survey published earlier this month in The 
New England Journal of Medicine, only 17% of clinicians in the U.S. 
have a basic system of electronic health records in their offices. 
Among the doctors who have access to electronic health records systems, 
97-99% report using all of the system's functions at least some of the 
time.\1\ However, data does not flow among all these systems partly 
because of the inconsistent use of data standards, lack of a consistent 
architecture for exchange of data, the lack of a trusted means to 
validate consistent and compatible implementations of standards and 
architecture, and the lack of agreement on privacy policies held by 
different jurisdictions.
---------------------------------------------------------------------------
    \1\ DesRoches et al (2008). ``Electronic Health Records in 
Ambulatory Care--A National Survey of Physicians.'' The New England 
Journal of Medicine, Volume 359(1):50-60.

---------------------------------------------------------------------------
The Need for a Coordinated Approach Toward Interoperability Enablement

    Consumers in today's global economy have become accustomed to 
instant access to information. News, music and movies can be accessed 
real-time on a handheld device. Products and services from multiple 
providers can be located, compared and purchased online. Financial 
accounts can be managed, bills can be paid electronically, and funds 
can be withdrawn at ATMs anywhere in the world.
    When it comes to their personal health information, however, 
patients have felt a speed bump on the information superhighway. The 
records exist, but doctors, pharmacies, and insurance companies use 
disparate systems that make the exchange of information slow and 
cumbersome, thus retarding timely access to the information in the 
routine delivery of care.
    But all of this is changing.
    U.S. Department of Health and Human Services (HHS) Secretary 
Michael Leavitt has established the American Health Information 
Community (AHIC), a group of eighteen government, business, and non-
profit organization leaders charged with fostering adoption of 
interoperable electronic records throughout the country. The AHIC has 
been essential to moving national interoperability efforts forward by 
articulating and prioritizing specific scenarios, often referred to as 
``use cases'', which focused industry efforts on specific and tangible 
areas where healthcare interoperability is needed and can be achieved 
through concerted work. Equally as important, the AHIC has served as a 
conduit to the Secretary of HHS to identify the results of the 
industry's work to achieve interoperability in the areas of those use 
cases, so the Secretary can hold up said results for all Federal 
agencies and initiatives to leverage appropriately. These standards 
that the Secretary holds forth are known as ``recognized standards'' 
and have an appropriate lead time that enables testing and evaluation 
before achieving recognized status, which is when Federal partners are 
expected to use these standards. Thus, the first generation of 
recognized standards have had that status for only slightly more than 
6-months, and so we anticipate increasing adoption and system 
interoperability as these standards are given a chance to be planned 
for and implemented in Federal and private-sector systems in an ongoing 
fashion over the coming months.
    In order for the objectives of the AHIC to be met in a purposeful 
and directed way, the HHS-based Office of the National Coordinator for 
Health Information Technology (ONC) has funded a coordinated effort to 
accelerate electronic medical record interoperability efforts. This 
effort is comprised of several symbiotic initiatives, four of which I 
will mention here:
    The first is to harmonize all the electronic standards for 
healthcare in the country. Currently there are more than a dozen 
organizations creating healthcare information standards in the U.S. 
These standards are at times redundant, competitive and non-
interoperable. Further, sometimes there are no appropriate standards 
available to enable particular kinds of healthcare transactions. To 
achieve the kind of universal functionality our ATM cards provide 
today, the country must agree on a common set of healthcare information 
standards, implemented consistently by vendors and healthcare providers 
alike. The organization I support, the Healthcare Information 
Technology Standards Panel, or HITSP, has been sponsored by ONC to 
harmonize the relevant information standards, working with the various 
authoring organizations of these standards, industry stakeholders of 
all types, and affected Federal partners to disambiguate the use of 
standards when several compete, and to push for establishment of needed 
standards where none exist.
    The second key initiative is to ensure electronic medical records 
provide the basic functions needed for a doctor to record and transmit 
patient medical information. The average patient over 80 years old has 
ten medications and three clinicians. Rarely is there any coordination 
of care among caregivers to assist these patients, and others, with 
bringing to bear a correct picture of their health status (history, 
treatments, medications, current issues, etc.) into each new healthcare 
encounter. But in order for care providers to more easily share 
patients' clinical information which may be held in their particular 
electronic health record systems, objective criteria to certify that an 
electronic record system meets the basic requirements for data capture 
and exchange is essential. The Certification Commission for Healthcare 
Information Technology, or CCHIT, provides certification and validation 
services that enable healthcare IT vendors and implementers of various 
kinds to verify the correctness of their implementations of 
interoperability standards and key system functions.
    The third key initiative is to catalogue privacy and security 
policies across the nation toward the end of reconciling their 
variances in a manner that enables interoperability. In Massachusetts, 
for example, doctors cannot retrieve a complete electronic medical list 
from insurance companies, even with patient consent, if a medication 
related to mental health, substance abuse or HIV treatment is present. 
In Ohio, doctors must use a cryptographic electronic signature to 
prescribe medications electronically. In California, only paper signed 
consent forms (not electronic forms) are considered a valid patient 
consent. The laws that created many of these regulations were 
appropriate 30 years ago when electronic systems lacked the 
sophistication available today, but now are an impediment to delivering 
safe, patient focused care. The Health Information Security and Privacy 
Collaboration, or HISPC, has begun this cataloguing effort and has 
spurred many efforts to remove key barriers to interoperability related 
to divergent privacy and security practices.
    The fourth key initiative I will discuss here is to ensure that a 
real health information exchange network is established which both 
demonstrates the feasibility of implementing interoperability standards 
in an effective way, as well as propagates their use broadly by 
connecting real systems. All standards are merely theoretically useful 
until proven through real implementation. The Nationwide Health 
Information Network, or NHIN, orchestrates implementation of 
interoperability standards within the context of real-world health 
delivery environments across different regions in the country. Often, 
these implementations involve a number of vendor products and platforms 
that adopt the desired standards through NHIN, and subsequently spread 
them through their normal channels in the marketplace.
    These four ONC initiatives plus the AHIC are critical to the rapid 
advancement of healthcare interoperability for several reasons.
    First, prior to the government becoming actively involved in this 
type of public/private partnership through the activities of ONC, 
interoperability efforts through the standards development 
organizations' activities alone led to a highly fractured system that 
was not converging in any meaningful way. Therefore, the Federal 
Government must stay involved in the process for ultimate success to be 
achieved in moving the entire industry.
    Second, the model AHIC and ONC have been cultivating over the past 
few years has shown that it matters how the Federal Government 
participates, not just that it participates. Leveraging the familiar 
paradigm of consensus-based development and adoption of standards in 
the United States has led to wider participation and buy-in than has 
been achieved through other methods such as unassisted market forces or 
heavy-handed mandates. It is important to allow private sector entities 
have ownership in the process of developing the interoperability 
solutions they will need to implement. It is most effective when they 
can innovate around, and adopt standards and architecture in a manner 
where their incentives are aligned with the collective goals.
    Third, these efforts have now established complementary and 
coordinated systems that have set the dominant design for how 
interoperability will continue to be achieved in an on-going fashion 
whereas there were no such systems prior to AHIC and ONC. We now have a 
system in place to harmonize and advance appropriate standards. We now 
have a system in place to verify correct implementation of those 
standards. We now have a system in place to develop and proliferate the 
technical network to interconnect healthcare partners. And lastly, we 
now have a system in place to identify and ultimately remove barriers 
posed by divergence in privacy and security practice.
    Lastly, the efforts of the AHIC and ONC have inspired smaller-scale 
replicas to emerge around the country. The AHIC use cases are reused or 
customized for local interoperability efforts. The consensus processes 
used for standards harmonization are mimicked by regional efforts that 
need to arrive at their own technology blueprints. In the parlance of 
the internet community, the current national interoperability 
initiatives are ``viral''.
    For the balance of this testimony, I will provide further details 
around the areas I am most involved in, namely establishing 
interoperable networks and architectures, and harmonizing 
interoperability standards. The intention here is to convey a greater 
insight into how these initiatives are operating to foster 
understanding of why the current efforts are working well.

Health Information Exchange Networks

    I am currently involved in two significant efforts to establish 
networks that enable the exchange of healthcare information among 
various healthcare software applications. These efforts are to build 
the Statewide Health Information Network of New York, called the SHIN-
NY (pronounced ``shiny''), and the Nationwide Health Information 
Network, called the NHIN. These efforts are actually related inasmuch 
as the SHIN-NY is intended to be a microcosm of the NHIN in New York. 
The development of technical infrastructure through these projects is 
catalyzing the adoption of interoperability standards and actual data 
sharing among providers.
    Building these networks is a complicated undertaking. Not only do 
different sets of standards need to be integrated, but additional 
elements beyond information standards need to be ``standardized'', such 
as technical methods associated with all networks (e.g.--ensuring the 
reliability of the and availability of the network). It involves 
deciding what technologies are ready for implementation, what level of 
backward compatibility will be supported, and what emerging 
technologies are likely to persist enough to include in the technical 
plan.
    The NHIN has published a number of technical specifications 
regarding the detailed handling of not only healthcare standards, but 
also methods for communication in the transmission of messages, 
security techniques, as well as paradigms for distributing 
functionality across the network without centralized control (critical 
for quick adoption where policy hurdles regarding centralized control 
may abound). The NHIN has also established a shared testing environment 
that may be leveraged broadly to ensure accurate utilization of 
interoperability standards. There are over ten participating regions 
and entities in the NHIN, including Federal partners, volunteer 
organization, and regional teams funded by ONC. This pioneering is an 
important step in realizing ubiquitous interoperability.
    The SHIN-NY is leveraging the work of a number of different efforts 
to achieve its goals in New York. It has modeled its local business 
cases on the published AHIC use cases, and has even extended them to 
encompass local concerns such as the utilization of Medicaid data in 
data exchange. It has also taken the HITSP interoperability standards 
and incorporated them into the design of statewide network, further 
entrenching these important specifications. New York is participating 
in an initiative sponsored by the Centers for Disease Control and 
Prevention to implement a biosurveillance system using the 
corresponding AHIC use case and HITSP standards, and this work is 
integrated into the SHIN-NY effort as well. And finally, as a 
participant in the NHIN, New York is leveraging the technical 
specifications, testing environment, and experience the NHIN has 
amassed over the past few years. In addition to all of this leverage of 
existing work, the SHIN-NY will contribute its own technical protocols 
and services that will be usable across New York and beyond.
    These efforts both have designs to not only establish technology 
that will be interoperable, but also to serve as reference 
implementation models for other efforts to learn from and to reuse. The 
learning, including much of the design and some of the new software 
from these initiatives will be made available in the public domain. 
This will fuel the fledgling open source projects in healthcare as they 
are the most likely to leverage these new assets. Whether it is 
bolstering the open source assets, or transforming the landscape of 
commercial products as they integrate into the network, these 
significant initiatives to build networks for information exchange are 
propelling the industry forward into a more interoperable state.

The Role of the Healthcare Information Technology Standards Panel 
        (HITSP)

    ``Within ten years, every American must have a personal electronic 
medical record . . .''
    --President George W. Bush, April 26, 2004
    When President Bush called for every American to have an electronic 
health record by 2014, he was outlining his vision for a healthier 
nation. To help make this vision a reality, the public and private 
sectors are working together to define and build an information network 
that would support the secure exchange of health data across the United 
States.
    In the fall of 2005, the HHS Office of the National Coordinator for 
Health Information Technology (ONC) awarded multiple contracts to 
advance President Bush's vision for widespread adoption of 
interoperable electronic health records (EHRs). The contracts targeted 
the creation of processes to harmonize standards, certify EHR 
applications, develop nationwide health information network prototypes, 
and recommend necessary changes to standardized diverse security and 
privacy policies.
    As coordinator of the U.S. voluntary consensus standardization 
system and proven provider of standards-based solutions to national and 
global priorities, the American National Standards Institute (ANSI) was 
selected to administer the standards harmonization initiative, in 
cooperation with strategic partners the Healthcare Information and 
Management Systems Society (HIMSS), the Advanced Technology Institute 
(ATI), and Booz Allen Hamilton. The resulting collaborative, known as 
the Healthcare Information Technology Standards Panel (HITSP), brings 
together representatives of the private and public sectors to make 
possible the interoperable exchange of health care data across the 
United States.
    The Panel's work is driven by a series of Use Cases (i.e., business 
needs) that are issued by AHIC. Based on the needs outlined in each Use 
Case, HITSP develops guidance documents known as Interoperability 
Specifications (IS) that recommend the standards that will meet the 
defined clinical and business requirements for sharing information 
across organizations and systems. During this process, HITSP also 
identifies and documents any gaps in standards which must be resolved.
    Once an IS is recognized by Secretary Leavitt, agencies 
administering or sponsoring federal health programs are required to 
implement the standards where applicable. These work products (IS) are 
intended to be supportive to the developing Nationwide Health 
Information Network (NHIN) for the United States and also to community 
and regional health information exchange networks.
    HITSP is a volunteer-driven, consensus-based operation. The Panel's 
480 member organizations represent consumers, health care providers, 
public health agencies, government agencies, standards developing 
organizations, and other stakeholders--all working together to identify 
the most appropriate standards for specific use cases involving 
patients, providers, and government agencies. HITSP is committed to an 
open and transparent mode of operation and to facilitating standards 
harmonization efforts that support interoperability, accurate use, 
access, privacy and security of shared health information.

The Standards Harmonization Process

    HITSP's most important work is the development of a well-defined, 
repeatable process to identify the most appropriate standards for each 
AHIC use case.
    A standard specifies a well-defined approach that supports a 
business process and has been agreed upon by a group of experts, has 
been publicly vetted, provides rules/guidelines/characteristics, helps 
to ensure that materials, products, processes and services are fit for 
their intended purpose, is available in an accessible format, and is 
subject to an ongoing review and revision process. Harmonization is 
required when a proliferation of standards prevents progress rather 
than enables it.
    In some cases, redundant or duplicative standards will be 
eliminated. In other cases, new standards may be established to span 
information gaps. In all cases, the resulting standards serve the 
consumer and other healthcare stakeholders by addressing issues such as 
data accessibility, privacy and security.
    Our process to date is:

    a. AHIC and its working groups develop Breakthroughs.
    b. AHIC Working Groups or other customers prepare a HITSP 
Harmonization Request.
    c. HITSP Technical Committees identify candidate standards, which 
are harmonized into a final list of standards. They also identify 
overlaps and highlight gaps. Gaps are forwarded to standards developing 
organizations for their guidance as to emerging candidate standards or 
new standards requirements.
    d. HITSP Coordinating Committees provide technical committees with 
important background information to support their work, such as 
objective criteria to evaluate the appropriateness of standards for a 
given purpose.
    e. The final chosen standards produced by the Technical committees 
are discussed and ratified by the full Panel.
    f. These standards are made available for public comment and 
feedback.
    g. Technical committees work with standards developing 
organizations and other groups to produce detailed specifications, an 
unambiguous ``cookbook'' for the implementation of chosen standards. 
HITSP provides a convening and facilitation function for this activity.
    h. HITSP work products are delivered to AHIC for their endorsement.
    i. After AHIC endorses HITSP work, the Certification Commission on 
Healthcare Information Technology will include HITSP specifications in 
its certification work. Hospitals and clinicians will be more likely to 
buy products, which are certified as interoperable. This will lead to 
increased success of vendors, which embrace standards and 
interoperability.

Progress to date and next steps

    The first priorities assigned to HITSP were in the areas of 
Electronic Health Records (EHR) (e.g., the electronic delivery of lab 
results to providers of care), biosurveillance (e.g., data networks 
supporting the rapid alert to a disease outbreak), and consumer 
empowerment (e.g., giving patients the ability to manage and control 
access to their registration and medication histories). In January 
2007, HHS Secretary Michael O. Leavitt accepted HITSP's recommended 
standards, known as ``Interoperability Specifications (IS)``, for a 
one-year period of implementation testing. In January 2008, the 
Secretary announced his formal recognition of the HITSP IS.
    According to Executive Order 13410 signed by President Bush in 
August 2006, federal agencies administering or sponsoring federal 
health programs must implement any and all relevant recognized 
interoperability standards. These standards also become part of the 
certification process for electronic health records and networks.
    Three additional sets of HITSP IS--Emergency Responder-Electronic 
Health Records; Consumer Access to Clinical Information; and Quality--
were accepted by the Secretary for implementation testing in January 
2008 and new IS on Medication Management was submitted to the Secretary 
for acceptance in Spring 2008.
    New work is also underway to address interoperability needs in six 
additional areas: personalized health, transfer of care, remote 
monitoring, secure communications between patients and providers, 
public health case reporting, and immunizations and response.
    The HITSP Education, Communications and Outreach Committee has 
strived to educate interested stakeholders on the future of healthcare 
information technology and how the public can shape the standards that 
will promote interoperability. This summer, the Committee is sponsoring 
an educational webinar series that informs the public of the work that 
is currently underway to support the exchange of healthcare information 
in the U.S.
    Beyond 2008, HITSP will continue to produce recommendations and 
reports in Interoperability Specifications and related Constructs. 
These work products are intended to be equally applicable to the 
developing Nationwide Health Information Network for the United States 
(NHIN) and also to community and regional health information exchange 
networks.
    From consumers to doctors, nurses and hospitals; from those who 
develop health care IT products to those who use them; and from 
government agencies to organizations that are developing the standards 
upon which these new health systems are based--everyone has a role to 
play in shaping the new U.S. healthcare IT infrastructure.
    Thank you very much for your attention, and I look forward to any 
questions you may have.

                                 

    Chairman STARK. Mr. Whitlinger.

  STATEMENT OF DAVE WHITLINGER, DIRECTOR OF HEALTHCARE DEVICE 
       STANDARDS AND INTEROPERABILITY, INTEL CORPORATION

    Mr. WHITLINGER. Thank you. Good morning, Mr. Chairman, and 
fellow Members of the Committee. My name is David Whitlinger, 
and I am the director of health care standards at Intel. I 
appreciate the opportunity to appear before your Committee to 
testify on promoting the adoption and use of health information 
technology.
    Let me start by saying that I am honored to be here, 
representing Intel Corporation in this important health care 
information technology discussion.
    As many Members of the Committee may know, Intel has been a 
major contributor to the worldwide information technology 
sector for 40 years now. As a corporation, we have participated 
in the transformation of countless industries as they have 
adopted PC's, data servers, high-speed communications networks, 
data visualization tools, wireless networks, and other 
information technologies to increase their productivity, 
improve efficiency, and thereby achieve greater quality in 
their products and services.
    What industry sector is in greater need, if not dire need, 
of higher efficiency and productivity--and, perhaps most 
importantly, measurable quality--than the U.S. health care 
industry? As you are all well aware, our nation currently 
spends nearly two times as much as any other country in the 
world on health care, weighing in at roughly 16 percent of our 
gross domestic product, or $2.2 trillion. Without a dramatic 
change, we are on course to hit $4.3 trillion within 10 years.
    Health care IT is obviously not the silver bullet that will 
single-handedly overhaul our Nation's health care industry, but 
broad industry adoption of information technologies will 
improve efficiencies, increase productivity, reduce costs, and 
give us all quality measurements that we can be nationally 
proud of.
    So, first, we commend Secretary Leavitt for his recognition 
and commitment to health IT by his development of a strategic 
plan that lays the groundwork for the transformation to higher 
quality, more cost-efficient patient-focused health care 
through electronic health information.
    We would like to see Congress provide a framework to ensure 
the continuation of the Certification Commission for Health 
Information Technology, known as CCHIT, and the Health Care 
Information Technology Standards Panel, known as HCITSP, and 
encourage industry organizations that are at the forefront of 
consumer or patient-centered health care, like the Continua 
Health Alliance.
    The Continue Health Alliance is an industry-led consortium 
of over 160 companies that is driving personal health care 
interoperability through standards and certification testing 
for health devices like blood pressure cuffs, glucose meters, 
pedometers, weight scales, personal computers, and cell phones. 
These are the personal health devices that can help an 
individual become empowered to better manage their own health, 
thereby reducing their dependency on the health care system 
itself, and at the same time improving their overall health: 
empowered, informed, healthy citizens.
    Second, we would strongly encourage Congress to develop 
financial incentive programs to jumpstart health care IT 
implementations across the nation. We commend the Ways and 
Means health Subcommittee for challenging the current system by 
considering direct incentives for providers of Medicare and 
Medicaid services to convert from the paper-based, inefficient, 
and at times dangerous systems, to using the technologies we 
take for granted in every other industry.
    As a large self-insured employer, we are willing to step 
up, and we have in certain regions where we have large 
concentrations of employees. But we need government partnership 
to support more transformational programs, create the financial 
incentives to move the entire U.S. health care system to an 
electronic health care record that can help increase efficiency 
of the health care providers, increase accessibility of patient 
health data across providers, and provide a foundation for a 
quality measurement system.
    How can we improve the quality of health care in our 
country, or even measure what we are providing our citizens for 
$2.2 trillion without data? Congress should explore 
reimbursement options for health care providers in the Medicare 
program that will facilitate the use of health information 
technology for quality improvement, and evaluate the benefits 
of providing grants and loans to providers to help reduce the 
barriers to investment and future health IT solutions.
    Last, I would like to speak to you, as a large employer. 
With over 60,000 employees here in the United States, we, 
unfortunately, are on track to spend close to $1 billion on 
health care for our employees in the next couple of years if 
something doesn't change.
    We look forward to working with Congress to improve the 
efficiency of our nation's health care system, to help keep 
U.S. companies competitive, and improve the quality of health 
care in this country to a level that we can all be proud of. 
Thank you.
    [The prepared statement of Mr. Whitlinger follows:]

           Prepared Statement of Dave Whitlinger, Director of
  Healthcare Device Standards and Interoperability, Intel Corporation

    Thank You. Good morning Mr. Chairman and fellow members of the 
committee. My name is David Whitlinger and I am the Director of 
Healthcare Standards at Intel. I appreciate the opportunity to appear 
before your committee and to testify on technology in U.S. healthcare.
    The topic discussed today is of utmost importance. Not only does 
our nation currently spend almost two times our nearest competitor per 
capita on healthcare, but the costs are having a dramatic effect on the 
ability of U.S. businesses to remain competitive in an ever growing 
global economy. At approximately 16% of the GDP, we can no longer 
afford to move ahead with business as usual. Unless something is done 
soon to dramatically overhaul our broken healthcare system, the coming 
age wave and rise in chronic conditions will overwhelm our ability to 
pay for and provide the kind of care we expect in this country. 
Further, we do not get better results for our $2 trillion dollar spend. 
U.S. healthcare fails to stand up to comparison on a wide range of 
quality measures with other mature countries. Clearly something has to 
change. Spending more or providing less is not a solution. We need to 
provide better care at lower total cost.
    I represent Intel, a large U.S. technology company which has helped 
transform countless other industries utilizing the power of 
information. Today, you and I reap the benefits of years of investment 
and work to put the power of information directly in the hands of 
consumers. It's hard for some of us to remember life before personal 
computers, cell phones, portable music players, and in-car navigation 
systems.
    Additionally, Intel is a large U.S. employer with headquarters in 
the Silicon Valley which currently employs approximately 60,000 U.S. 
citizens. We are on a path to spend $1 billion annually on healthcare 
within the next few years. Just the annual cost of healthcare for an 
Intel employee and family of four exceeds the fully loaded cost 
(including salary and benefits) of one qualified engineer in many 
developing nations. Our employees are our greatest resource. We need 
the best and brightest minds working on the challenges of the 21st 
century.
    Because we, as an employer, pay into the system in three ways via 
corporate taxes, employee benefits and the cost shift from the 
uninsured, we see healthcare as an issue that must be addressed and 
solved if U.S. business is to remain globally viable and able to 
provide quality jobs and benefits to our employees and beneficiaries.

Healthcare Missed the Revolution

    Intel has been at the center of technology change for 40 years, 
driving efficiencies in every part of the economy. The PC and the 
Internet have literally changed the world--they have changed the way we 
communicate, the way we access information, the way we conduct 
business, and the way we entertain ourselves, except for one critical 
industry, healthcare. Paul Otellini, Intel's CEO, cites Intel's work in 
the health industry as a case in which our technology and leadership 
may help resolve some of society's thorniest issues. By reducing the 
cost of healthcare ``the single biggest opportunity we have--to address 
the single biggest problem that certainly the U.S. and many of the 
Western countries are going to have--and ultimately the world.''

Intel Employer Initiatives

    Not only has Intel seen the value of investment in the 
infrastructure necessary to keep our products on the cutting edge of 
future demand, we also have seen the value of investment in our own 
people.
    In 2005, Intel, Cisco and Oracle launched an effort to 
incrementally change the way employers pay for healthcare services for 
our employees. The program, known as the Silicon Valley Health IT 
initiative, is a collaborative effort among seven large IPA's 
(Independent Practice Associations) representing 25 distinct practice 
sites and more than 1,800 physicians. The goal is to help the system 
shift toward a more patient centered approach with rewards for the use 
of IT to provide better communication, care and follow-up.
    Early data has shown promising results and each year the bar is 
raised to drive toward NCQA (National Committee for Quality Assurance) 
guidelines and patient satisfaction. We'll continue to look for ways to 
lead the change around how we pay for the care provided to our 
employees and their dependants.
    As we know, action follows money. Different outcomes require that 
we rethink how we pay for care in the U.S. We need to transition from 
the fee-for-service treadmill that is driving more and more providers 
out of the profession. As funders of the system, the ones who actually 
write the checks, we have the power to work with the delivery system to 
help align the incentives and reward the right care. Simple examples 
are electronic prescriptions, electronic communication between patient 
and clinician, remote diagnostics and monitoring, electronic health 
records, etc. Additionally, Intel has made the commitment to deploy on-
site clinics for our larger facilities. We are combining these clinics 
with a renewed emphasis on employee health and wellness. While these 
clinics are not a new concept, we believe it is another step toward 
establishing a culture of wellness and convenience to our associates.

Dossia

    Intel is also one of the founding members of Dossia, a non-profit 
organization initiated by a consortium of large U.S. employers for the 
purpose of creating a national system to deliver lifelong, personal, 
private, and portable health records for their employees. The focus is 
to leverage employers as the purchaser of healthcare services and place 
the health data into the hands of employees and their families with a 
strong firewall between the employee records and the employer. This 
will be a national platform that will provide personal control to the 
employee over an independent, non-tethered view of their patient 
information. With a complete picture of their health, employees will be 
free to exercise more choice and thus drive competition for the higher 
quality, patient-centric healthcare.

Federal Leadership

    We believe government has to help lead the way toward systemic 
transformation, by developing new care paradigms and new financing 
alternatives.
    Given the enormous technology advances in all other industries, 
it's time for healthcare to reap the same benefits and it will take 
leadership by the Federal Government partnering with private industry 
to provide funding, and standards to promote an open architecture for 
health IT interoperability. We commend Secretary Leavitt for his 
recognition and commitment to Health IT by developing a strategic plan 
that lays the groundwork for the transformation to higher-quality, more 
cost-efficient, patient-focused health care through electronic health 
information. We want to see Congress provide a framework to ensure the 
continuation of CCHIT and HITSP, organizations at the forefront of 
federal Health IT.
    Congress has been actively engaged through the Senate HELP and 
House Energy and Commerce committees developing opportunities for 
loans, grants, and pilots to stimulate the deployment of electronic 
medical records. The Medicare Reform bill passed last week follows a 
path recommended by AHIC (American Health Information Community) to 
provide incentives for Medicare/Medicaid doctors to move electronic 
prescriptions.
    With U.S. healthcare spending at $2.2 trillion, $7K/person, 16% 
GDP, and 4 times the spending on national defense, and 125 million 
citizens facing chronic disease, 60 million with multiple conditions, 
the state of the U.S. healthcare system demands a more comprehensive 
approach.
    We commend the Ways and Means Health Subcommittee for challenging 
the current system by considering direct incentives for providers of 
Medicare and Medicaid Services to convert from the paper based, 
inefficient and inherently dangerous systems to using the technology we 
take for granted in every other industry. It's not just about routers, 
wireless Voice over IP (VOIP) and telehealth equipment and electronic 
medical records. Transitioning to a data rich environment provides an 
opportunity for improved tracking, analysis and understanding of 
expenses and outcomes that drive healthcare decisions. How do you track 
quality improvements without data? How do the oversight committees 
realistically appraise the state of healthcare in the U.S. or set 
benchmarking standards for reimbursement schedules without electronic 
medical systems? And more importantly, how are patients cared for 
without a holistic understanding of their diagnosis, testing and 
treatment?
    Think Y2K, when the Federal Government working with industry, 
avoided a meltdown of the economy through funding and partnership in a 
highly technical area. Federal Government leadership played another key 
role in the healthcare industry when the Federal Government's decision 
to move to electronic billing records revolutionized not only the 
Medicare/Medicaid payment systems, but provided leadership for the 
private payers as well. Purchasing power of the Federal Government will 
move the meter nationwide.

Case Example: Banner Health IT

    I'd like to share a case example of one hospital's experience after 
deciding to integrate technology in the construction and operation of 
their facilities. Banner Estrella Medical Center in Phoenix combined 
clinician-designed workflows, extensive training, with a cultural 
change to save the system $2.6 million through:

          Improvements in nurse retention
          Decreased incidence of adverse drug events
          Reduced length of stay
          Fewer patients leaving the ED without treatment
          Reduced days in A/R
          Decreased expenses

    The patient experience improves dramatically as well. Patients 
aren't asked the same questions over and over again--the first 
clinicians to interview a patient chart the information, and everyone 
on the care team is able to review the information digitally. 
Clinicians don't waste time chasing after paper charts, and when they 
consult with other clinicians, each person can simultaneously access 
the charts. Clinicians use wearable Voice-Over-Internet Protocol phones 
(VoIPs), so patients' sleep isn't interrupted by frequent overhead 
pages. Nurses have a more comprehensive view of patients, so they are 
better able to develop a comprehensive plan of care to advance the 
patient in his or her recovery. Even many clinicians who were reluctant 
adopters of a paperless system now say they would never want to work in 
a paper-based hospital again.
    Offering incentives to convert to a health IT platform for Medicare 
and Medicaid providers offers the opportunity to change the healthcare 
system in a dramatic way, both qualitatively and through cost savings. 
We urge the Ways and Means Committee to act now to find the right 
combination of payment incentives, tax benefits, pilot programs and low 
cost loans that will elevate the world's costliest system into the 
world's best healthcare system.

Value of Measurements and Interoperability

    One of the critical gaps in today's existing health care IT is the 
lack of standards and interoperability. Hospitals and clinics have no 
shortage of expensive advanced technology, but often these devices do 
not communicate with each other. X-Rays and test records are not 
portable between doctors or health systems. Tests are often repeated 
unnecessarily, wasting money and time while the patient waits for a 
critical decision.
    As President of the Continua Health Alliance, a worldwide non-
profit, open-industry coalition of healthcare and technology companies, 
I am pleased with the progress our 250 members have made to voluntarily 
develop a system of standards that will promote harmonization of 
personal health products. We have just announced a set of Bluetooth 
standards that will promote wireless interoperability of these 
products.

Back to the Future_Home Centered Health Care 

    Over 70 million aging baby boomers could overwhelm the U.S. 
healthcare system and engulf the nation's tenuous economy, according to 
a new study, ``Will the Boom Bust Health Care?,'' by management 
consulting firm Tefen USA. Internationally, the United Nations shows 
the number of people aged 70 and older doubling in 25 years to 1.2 
billion in 2025.
    Recognizing the impact of these demographics, Intel researchers 
launched an unprecedented study of seniors and chronically ill patients 
in 1999. Our ethnographic researchers have observed and interacted with 
more than 150 hospitals and clinics and 1,000 households in 20 
countries. We became passionate about enhancing independence and 
finding solutions to help individuals, family members and caregivers 
stay in touch with the people they care about. We are learning that 
consumer education combined with home computers, wireless networks, 
televisions and cell phones offer new ways to increase prevention, 
early detections and caregiver assistance. We are designing systems 
that better connect to information interaction, safety and security, 
and health and wellness. Through ongoing monitoring and patient 
education, we can begin to shift the process of improving outcomes 
while keeping patients at home and independent.
    While the bulk of health care today is delivered in hospitals and 
clinics, today's acute care-centered system is ultimately unsustainable 
in the future.
    The old one-on-one physician to patient paradigm will not suffice. 
We need to move away from the physician-centered care delivery paradigm 
toward a patient centric model where delivery and funding are channeled 
via care teams with a community approach toward care. IT is a powerful 
enabler to help provide the care necessary to meet this tide head on.
    Intel's goal for healthcare solutions is to connect people and 
information across the continuum of care to improve healthcare and 
quality of life. Interconnected personal health innovations will keep 
people healthy and living at home longer, and help individuals, 
families, and the extended healthcare community, and connect to the 
right information at the right time. These new technologies will 
empower people to make better, more informed health decisions and 
become an integral part of the healthcare system.

Global Health Race

    Between now and 2013 the EU and the private sector will invest more 
than =1bn in research and healthcare innovation for older people. Some 
=600m is to be invested in the ambient assisted living program, while a 
further =400m is included in the EU's latest research framework 
program. In addition, about =30m in research funds have been made 
available this year under the European Union's ICT Policy Support 
Program.
    Through an unprecedented partnership with the Irish government 
Intel launched the TRIL (Technology Research for Independent Living) 
Centre creating one of the largest research centers of its kind. This 
active research collaboration between industry and academics drives 
knowledge transfer through the collective work of multidisciplinary 
research teams. The TRIL Center is building an open, sharable research 
platform and co-invents new technologies for older people and their 
families.
    The U.S. shows evidence of quickly being left behind in this global 
marketplace largely ignoring, avoiding or under-investing in aging-in-
place and home health R&D. One exception is the Oregon Health and 
Science University Biomedical Engineering Lab developing technologies 
for early detection and remediation of aging changes. The university is 
using biosensors to continuously monitor seniors' movements and develop 
new ways of detecting cognitive impairment. Another example is CAST, 
the Center for Aging Services Technologies, a partnership Intel co-
founded with the not-for-profit long term care advocacy group AAHSA, 
the American Association of Homes & Services for the Aging. From the 
White House Conference on Aging to several demo days in the Senate, 
CAST, now with more than 500 care providers, technology companies, and 
universities involved, has brought national and international 
visibility to the needs of older people, their families, and their 
physicians.
    By adopting a platform of innovation and care for the ``age wave,'' 
U.S. businesses, governments, and NGO's have the opportunity to not 
only create centers of excellence but also provide a new economic 
frontier serving the U.S. and across the globe.
    Once again, thank you for acknowledging the role of the Federal 
Government in accelerating the U.S. adoption of a robust and effective 
health IT ecosystem. We look forward to working with the Committee as 
you develop policy incentives to ensure that the U.S. becomes a center 
of excellence.

                                 

    Chairman STARK. I want to thank the panel very much. This 
is a problem that actually has concerned some of us on the 
Committee for over 15 years. I think it was Mr. Gravitts and I 
who had talked about outcomes research more than 15, 20 years 
ago.
    I have a feeling that that is impossible to develop, unless 
we have some kind of universal database, and we can find out 
what happens--not whether you survive a procedure, Dr. King, 
but what happens 5 years after the procedure? Which procedure 
is better? Unless we have some kind of database, we're just 
never going to know.
    Peter, could you address the issue of the incentives that 
you think are necessary from two points? One, my sense is that 
doing it through the tax code leaves out the not-for-profit 
segment of the provider community. So, that leaves a big hole, 
if that's where we're going to do it. Second, the smaller 
providers, the solo practitioners, the small, very small 
groups--less than five, let's say--that Dr. Ejnes's group 
represents, don't see the same ``savings'' that Kaiser 
Permanente sees. I mean, Kaiser can use their own system, as 
they do now, and probably save a whole lot of money. But, for a 
solo practitioner, that's not as good.
    Well, how could we incentivize these two different 
extremes? Can we do it any other way? You say the stick. I've 
suggested that we start with a supplement, and that means Dr. 
King and others who spent money already get some of it back. 
Because whatever system we pick isn't going to make--90 percent 
of the people are going to be unhappy because it isn't their 
system, and they're going to have to make some changes and 
adopt.
    Those who don't have a system we'll front-end load it, and 
then glide down to zero subsidy and--in 5 years, say--and then 
in the subsequent 5 years, start penalties. So, you get 5 years 
and some money they get into the system, and then if you're not 
in it in 5 years, we start to penalize. It would be a system--
could you comment on those ideas?
    Mr. ORSZAG. Sure. First, I think it is, for context, 
important to realize that the entities that find it most 
beneficial--the integrated health plans--have already largely 
adopted. These institutions are behaving rationally. Those that 
see the largest benefits from this have been the leaders in 
adopting it.
    With regard to the Tax Code, you're right that non-
profits--you have to either be--leave them out, or be very 
clever about transferability, about clever--and it creates 
problems in the Tax Code--in extending benefits to non-profit 
entities. So, I will leave it at that, but you are right to 
identify that as a significant issue in any tax incentive that 
is intended to provide help to non-profits.
    With regard to solo practitioners, I guess there is this 
tradeoff, which is unless you're going to provide massive 
subsidies--you know, $20,000, $30,000, $40,000 or more for 
those solo practitioners--you are going to wind up in a 
situation in which they are going to bear some costs that are 
not fully reimbursed, or fully offset, and it's really up to 
you.
    I mean, I believe that the only way we're going to get to 
nearly universal adoption is ultimately with some stick, as it 
were, or some penalty, if you will, as the e-prescribing 
legislation did. You can easily, if you wanted to, offset most, 
if not all, of the costs up front. It's just you're going to be 
bearing larger budgetary costs in doing that. That's obviously 
a choice that would be up to you.
    What I would say, though, is it seems unlikely that, unless 
you're going to have very, very large budget costs, that you're 
going to get nearly universal through purely the carrot 
approach.
    Chairman STARK. Well, you are right. We have been faced 
recently with a series of ads--I'm not sure who is running 
them--in the Post showing us the ``$1 billion profits'' that 
some of these not-for-profit systems are making, and the $6 
million and $8 million and $12 million annual paychecks that 
the chief executive officers of some of these large--you're not 
one of those, are you, Dr. King, getting----
    Dr. KING. I'm wondering where I can apply.
    Chairman STARK. Me too. But--and I suspect they're the ones 
that already have the system, and they can well afford it.
    I wanted to go to Dr. King and maybe Mr. Whitlinger. I am 
happy to say, Mr. Whitlinger, I just found out that my Mac just 
crashed due to a RAM chip, but Intel didn't make it. We think 
Samsung did, but I will recommend to Steve Jobs that you make 
those chips, and then maybe the darn thing will work better.
    But, Dr. King, you use Vista, that you just--the one that 
the Veteran's Administration has, and makes available for 
anybody for free?
    Dr. KING. Well----
    Chairman STARK. Or an iteration of it? I don't----
    Dr. KING. An iteration. Basically, what happened is because 
it was developed by the VA, you can obtain Vista under the 
Freedom of Information Act. That particular--the way it is when 
it comes to you, it's not very practical. So----
    Chairman STARK. Somebody said that somebody out there in 
the world is rewriting it, the Vista program, to bring it 
into--and here, my 13-year-old would have to explain to me the 
technology--but rewriting it in a form that would be usable in 
modern-day computers.
    Dr. KING. Well----
    Chairman STARK. It, too, will be available, free.
    Dr. KING. Well, what happened was--it's sort of already 
happened--the CMS had a grant, and was able to take the Code 
and open source it through this grant, so it could be used in 
an office-based setting.
    Chairman STARK. Okay.
    Dr. KING. That was developed by World Vista----
    Chairman STARK. Now, if I am a patient in your clinic.
    Dr. KING. Yes.
    Chairman STARK. I go to Kaiser in Oakland, can they 
access--they have IPIC, or something like that--could they 
access my record in your clinic, if I happened to be in Oakland 
and needed treatment?
    Dr. KING. Today they could not, no.
    Chairman STARK. It's my understanding that if I am a 
patient in the Veterans Administration, and I end up in an 
emergency room at Oakland, if they have my password and code, 
they can--the doctor in the emergency room at Pilot Hospital in 
Oakland--could get on the Internet and get my Vista records. Is 
that your understanding?
    Dr. KING. My understanding is they could go and get the 
patient health record----
    Chairman STARK. Yes.
    Dr. KING [continuing]. That the patient actually has 
entered, but not the electronic health record that Vista has. 
In other words, there is a----
    Chairman STARK. I thought they could, but I am----
    Dr. KING. Only if they have access--that system is locked 
down pretty well.
    Chairman STARK. Okay.
    Dr. KING. Unless you have all the access, and--it would not 
work.
    Chairman STARK. Would not something of that nature be 
desirable--and I ask the physicians on the panel--at some point 
for treating emergencies and/or treating people who move from a 
primary care doc to a specialist, to have, as Vista does, all 
the--imaging is electronic, so there is no paper image any 
more, but film images. You can just get all of this out of the 
ether. Would that not be an advantage to practitioners? Dr.----
    Dr. EJNES. Yes, it would be. In fact, I would argue that 
the full potential of physicians adopting electronic health 
records will not be achieved until we get there. The--and this 
is what's going on--I mean, I'm involved--I'm also on the board 
of directors of the Rhode Island Quality Institute, which is a 
recently designated RHIO, and that's something we are trying to 
do within the state, is to get the hospitals, the labs, other 
physicians, to be able to exchange information.
    It doesn't require everybody at the user end have the same 
software, just as you can access the web on your Mac and I can 
on my PC. But the concept of the exchange is key to our 
success.
    Chairman STARK. Yes, I think you say it, and I would be 
concerned Mr. Jones's clients, and Mr. Whitlinger, while we--
each person here--may have a different e-mail--I use AOL 
personally, but something else here in the House, but I can get 
to my AOL mail on a Mac or a PC in the airport, if I get into 
the--you know, borrow somebody's. So, it's--to that extent, 
that is my definition of--I can have a separate little program 
that either encourages pornography or sorts spam, or whatever 
it wants to do, but I can do that from any computer that is 
available. Is that what your clients--is that what you suggest 
to your clients, Mr. Jones?
    Mr. JONES. Yes. We certainly try to bring about 
interoperability without reducing the freedom of choice of the 
particular end user point solution. I think that, you know, and 
electronic health record, in this regard, is sort of akin to 
that, an end user point solution.
    Chairman STARK. Ms. McGraw, I am not avoiding you, but I 
know some of my colleagues know much more about the privacy law 
than I do.
    Ms. MCGRAW. Okay.
    Chairman STARK. Even--some of them went to law school, so 
they understand really the nuances of it, which I don't. As a 
banker, I sued George Schultz when he was Secretary of the 
Treasury, because he was trying to get into the bank records, 
and it went to the Supreme Court, and I lost. But nonetheless, 
that's the last time I got involved in privacy issues.
    Are there any of the witnesses who feel that we could get 
to a database that I think we all desire for research, 
sanitized for privacy protection, and that would save the money 
that Dr. Orszag suggests that we could get, without the Federal 
Government--or perhaps AMA, I don't know--somebody saying, 
``This is the system in which everybody must participate?''
    On the other hand, is there anybody who thinks that would 
be a disaster, in terms of free enterprise and getting where we 
want to get?
    I can--anybody want to--that's my last question. Mr. 
Whitlinger, you're the biggest free enterpriser, next to Dr. 
Orszag here, in terms of money that you spend. How would Intel 
come up with that?
    Mr. WHITLINGER. Well, certainly, there are interoperability 
standards being developed, and that are being implemented, that 
would allow us many, many systems across the nation that could 
be linked together and provide us the functionality that would 
be necessary to provide the physicians with the ability to 
transport health records back and forth, in order to serve 
their patients and to also have a secure private network that 
you describe.
    Chairman STARK. Dr. Ejnes.
    Dr. EJNES. Yes, Sir. If you are referring to everybody 
adopting the same electronic health record application, for 
example, I think, based on what's out there today, and the 
needs of offices today, I think I would say disaster.
    Having been through the process a couple of years ago of 
weeding through the hundreds of different products, it's very 
clear that if you've seen one practice you've seen one 
practice. Certain physicians want all the bells and whistles, 
others want ``Bring it out of the box and let me use it.'' The 
types of practice, locations, and other needs really dictate 
which product is the best one. The certification commission has 
played a major role in helping to narrow down the choices for 
us, as well as have us poised for interoperability.
    But I think, unless it were a product that didn't exist 
today, to have it be the universal one, even if it were 
inexpensive, would be problematic.
    Chairman STARK. Let me follow that up, because I am afraid 
I don't have the vocabulary to adequately deal with this. But 
my assumption would be that I could get the entire organized 
medical fraternity and sorority to nod with me if we started 
with age, weight, blood pressure, cholesterol, all those kind 
of empirical things that we all have in our psyche, okay, or in 
our physiology. So, I don't think there is any quarrel there. 
We say, ``Okay, every record has got to have my name, race, 
age, sex,'' you know, all the stuff. Okay?
    Beyond that, I also think we could agree that, as Vista 
does, all the pictures, or whatever they take of us--CAT scans 
and all, x-rays and that sort of stuff, can be stored 
digitally. So, no quarrel there, right?
    Dr. EJNES. Right.
    Chairman STARK. Now, as to my program for--my schedule in 
Congress has a place where my wife can get in touch with my 
scheduler and add the shopping list for Fresh Fields that I am 
supposed to pick up on the way home. That might not be required 
in every system, but the ability to do it could very well be 
there without disadvantaging--can't we get to some level 
where--and then, let the specialities--it's my understanding 
that thoracic surgeons and the anesthesiologist do have a 
database of more than half of all the procedures performed in 
the last 5 years. That's pretty good. But I don't think there 
are many others that do that. Is that a----
    Dr. EJNES. Yes. I think that's----
    Chairman STARK. I mean, doesn't somebody have to outline--
--
    Dr. EJNES. Yes.
    Chairman STARK [continuing]. That system?
    Dr. EJNES. Yes. I think what you are getting at is the 
development of standards.
    Chairman STARK. Okay.
    Dr. EJNES. I think we have made a lot of progress. This is 
not my field, but----
    Chairman STARK. Then what I should say is somebody has to 
define the standard.
    Dr. EJNES. Yes. I think we have. I mean, there are 
standards that exist for communicating a lab report, an image, 
you know, the patient--discharge somebody from the hospital, 
and that's come out of these different collaboratives that were 
described by the other panelists.
    So, yes, I think that has to be the foundation for whatever 
then is acquired by the physicians, just as, you know, TCPIP is 
the way that we communicate data across the Internet. So, 
whether you have a Mac, a PC, a Blackberry, you're able to 
communicate.
    Chairman STARK. Do you have a feeling on this, Mr. Jones? 
Your clients, what would they say about all of this? Or what do 
you say to your clients about all of this?
    Mr. JONES. I think that the last point is exactly right, 
that we are--you know, if I made an analogy, we don't want to 
tell everyone they have to drive the same car, because some 
people--or the same motor vehicle--because some people need a 
pick-up truck and some people need, you know, to be compact, et 
cetera. But we do want to define what a car is, that it moves, 
it has wheels, it has a steering wheel, et cetera.
    So, in that sense, I think that this system that you're 
describing is, in fact, the selection of standards that would 
govern how a car operates. You know, there could be enforcement 
about various things: You must have seatbelts for safety, you 
know, et cetera.
    Chairman STARK. We don't have that yet, do we?
    Mr. JONES. Well, what we do have is a number of different 
standards development organizations that all are trying to 
define that car. Sometimes they define slightly different cars.
    So, what we have tried to do in HITSP is to bring them to 
the table and say, ``You know, this is really--let's 
compromise, and this is really what the definition should be 
about a car.'' So, I think that there is not a lack of 
standards. In many cases, there may be ``too many standards.'' 
So we need to select and harmonize them.
    Chairman STARK. Would it be helpful for, say, the Federal 
Government to establish a standard and say, ``Here it is, guys, 
and now let's all figure out how we can compromise to work on 
one standard?''
    Mr. JONES. Well, I think that the Federal Government is 
doing that through the sponsoring of HITSP. The establishment, 
in this case, is to bring the Federal stakeholders and the 
private stakeholders together to agree and say it's not an 
option to not agree. ``We will move forward, whether you are at 
the table or not, but you have the opportunity to come to the 
table, and we will agree that this''----
    Chairman STARK. We have to complete that, then.
    Mr. JONES. Absolutely.
    Chairman STARK. Okay. Mr. Camp, would you like to inquire?
    Mr. CAMP. Well, thank you. Being from Michigan, I certainly 
like these car analogies. I hope--and what my bill tries to do 
is actually codify what these groups are doing at HHS, and 
bring them together to come up with standards.
    But also, I think it's important that we have the people 
who build cars at the table. So, we do need to have a viable 
private sector role in this. I don't think people in the 
government know how to define a car without the help of the 
people who build the cars. So, that's why I think we are trying 
to strike this balance in the legislation that we have.
    I do just want to mention that Dr. Reding, who was going to 
testify here on behalf of the Marshfield Clinic, they have 40 
years of IT development at their--in their experience, and they 
didn't receive any direct Federal funding to pursue HIT. But 
they did express concerns about the privacy language, and the 
commerce bill, or the Protect Act that is moving through. 
Really, this idea that there is a limited data set of data that 
is moving forward, they believe would certainly affect peer 
review, quality review, quality improvement, standard of care 
review.
    So I do think, while this privacy issue is a complex one, I 
think we have to make sure that we keep certain simple truths 
in place, and that is this idea that those involved in health 
care can consult with others in health care for the purposes of 
treatment, this implied consent issue, that we don't erode that 
to the point where we hurt those positive things that are 
moving forward.
    But let me just say, Dr. Orszag, you know, from your 
testimony I got the sense you feel that society, as a whole, is 
spending enough on health care, in terms of a percent of our 
economy. Is that something that you--in your comments, that's 
what I drew, at least, a conclusion. Would that be a viable 
conclusion of your comments?
    Mr. ORSZAG. Well, I don't know whether we're spending 
enough or not. What I do know is we could be getting a lot more 
from what we're spending.
    Mr. CAMP. So, we are not getting value for what we are 
spending.
    Mr. ORSZAG. We are not getting enough value----
    Mr. CAMP. So, we are spending too much for what we get.
    Mr. ORSZAG. That is correct.
    Mr. CAMP. Now, you mentioned that--this idea of a non-
integrated and integrated system--and for those of us who may 
not be the policy wonks that others are--traditional Medicare 
is a non-integrated system, correct?
    Mr. ORSZAG. Traditional Medicare pays for non-integrated 
care----
    Mr. CAMP. That's a yes?
    Mr. ORSZAG. Yes.
    Mr. CAMP. Medicare Advantage is an integrated system, 
correct?
    Mr. ORSZAG. Medicare Advantage----
    Mr. CAMP. Much like an HMO is an integrated system.
    Mr. ORSZAG. Could be, yes. It depends on the exact 
definition of an integrated----
    Mr. CAMP. So you would conclude that integrated systems, 
like health HMO's, better realize benefits from HIT than non-
integrated systems like Medicare. That's a conclusion you draw 
in your report.
    Physicians, you mention, have little incentive to adopt 
HIT. Should we incentivize them to do that?
    Mr. ORSZAG. I am going to leave the ``should'' up to you. 
What I would say is if you want to capture this--you want to 
improve the efficiency in the health system, you need to get 
toward more universal health IT. You can do that, again, in a 
variety of ways. You can provide a positive or a negative 
incentive. I guess I could put it that way. But we do need to 
change the incentives.
    Mr. CAMP. All right. Dr. King, the Marshfield Clinic 
believes that Congress should subsidize the use of health IT 
through Medicare, to promote the rapid adoption of those 
systems. You mentioned that just 3 percent of your health 
system patients are Medicare beneficiaries. So, this means that 
a clinic like yours would see very little support from health 
IT.
    Is this a good use of taxpayer dollars, in your opinion, 
for----
    Dr. KING. For the----
    Mr. CAMP. The beneficiary?
    Dr. KING. Yes. I think that incentives are extremely 
important to get adoption. However, I think you have to do it 
in a way that drives improvement of care at the same time. Just 
handing out money for people to buy electronic health records I 
think will lead to large failures, a lot of wasted money, and 
you won't get what you want.
    Mr. CAMP. Dr. Orszag, if physicians were paid based on the 
quality and appropriateness of care they delivered, would they 
be more likely to see financial incentives associated with 
adopting health IT?
    Mr. ORSZAG. Yes.
    Mr. CAMP. That would be a good thing?
    Mr. ORSZAG. Yes.
    Mr. CAMP. All right. Thank you. Thank you, Mr. Chairman.
    Chairman STARK. Mr. Doggett, would you like to inquire?
    Mr. DOGGETT. Thank you, Mr. Chairman, and thanks to each of 
our witnesses who have offered some valuable insights into this 
complex issue. I certainly agree with Dr. Orszag, that we 
cannot begin to get at--effectively--the $700 billion of waste 
in the system unless we have information technology. We won't 
get information technology unless part of the incentives are 
strong negative incentives. We will simply be encouraging 
people who are already moving toward health IT, and not getting 
at those who have been resistant to the idea.
    My concerns, though--and I will address probably all my 
questions to Ms. McGraw--concern the question of privacy.
    You are well aware that this is not the first time, as all 
our witnesses are, that this Committee has considered 
information technology. In 2006, I joined with Mr. Emanuel and 
some of our other colleagues in offering an amendment to the 
bill that was up then, designed to protect patient privacy. On 
the floor, I offered that language, and I have not seen 
anything since then.
    In fact, quite a bit of evidence supporting our concern 
about patient privacy that would suggest that, in this 
legislation, we should lower the bar and denigrate the standard 
that was set in the Emanuel amendment, and the language that I 
offered on the floor.
    I find that, despite the efforts yesterday of Congressman 
Ed Markey, that there are a number of provisions in the 
legislation approved in the Energy and Commerce Committee that 
are troubling. I thought, Ms. McGraw, that your point was well 
taken in your testimony, that proper standards for privacy are 
not an obstruction to information technology, which we want. 
They, in fact, can enable that.
    Indeed, wouldn't you agree, Ms. McGraw, that, unless there 
are appropriate privacy safeguards in this legislation, we 
won't get the kind of honest, complete data that we need, both 
from practitioners and from patients, feeling that they can 
have confidence in telling their physician what their situation 
is, particularly in the mental health area, unless they can be 
sure that their personal data is private, and shared only 
between medical health care practitioners, and not sold off to 
some data mining company?
    Ms. MCGRAW. Right. No, of course, I completely agree with 
you. You know, one out of every six people in this country 
practice what are called privacy protective behaviors because 
of their fear about how their health information could be used 
to harm them. That is particularly true for people who are 
dealing with conditions that are frequently stigmatized, or 
have sought care that really, you wouldn't even want your 
neighbors to know about.
    So, essentially what that means is that people either won't 
go to the doctor, they will lie to their doctor, or they will 
ask their doctor to be careful about what goes in the record, 
or they will see multiple providers to avoid all of the data 
being in one record. Of course, if we are going to all be 
electronically connected, that behavior obviously won't be as 
fruitful as it once was for people who are really concerned 
about their privacy.
    The problem is that that person doesn't necessarily get 
good care, because the physicians and the providers who care 
for them need that information. So, there is bad data, 
essentially, in the record. That also hurts us in our efforts 
to measure care quality--and use of data for population health 
purposes, because you have some bad data streams in there.
    So, I agree with you, that it's important to pay attention 
to this.
    Mr. DOGGETT. Exactly. We want the data stream to go--to 
allow us to set good policy, to allow for treatment insuring 
between practitioners. But we don't want bad data that grows 
out of fear that privacy is being invaded.
    I note that the bill that was approved in the Commerce 
Committee yesterday, though it makes repeated reference to 
privacy, does not define privacy.
    Ms. MCGRAW. Yes. Well, to be quite frank, I think that the 
focus on a definition of privacy is, again, far less important 
than setting forth some very clear parameters on how 
information can be used by health care providers, and how it 
can't be used.
    There is actually, within the privacy community, a great 
deal of difference of opinion on if you were to define what 
privacy is, what that would be. So, we could spend a lot of 
time debating that, and still not--you know, and not come up 
with a good set of privacy and security protections. I think 
our focus is better put on----
    Mr. DOGGETT. Would you agree----
    Ms. MCGRAW [continuing]. Setting that framework.
    Mr. DOGGETT [continuing]. That, again, looking to the 
Commerce bill, that patients should be able to give consent 
before identifiable prescription records are shared with 
insurance and pharmaceutical companies?
    Ms. MCGRAW. Well, again. We worry a bit that the focus on 
consent diverts us from the more important issues. Let me 
explain myself, because I--consent is an important part of a 
comprehensive privacy and security framework for protecting 
data. But it's only one part.
    In fact, if we sort of pin all of our hopes or our plans 
for privacy and security on patient consent, we will, 
unfortunately, provide people with very weak privacy 
protection. Because, in the health care context, people don't 
actually have a right to say no. If you are coming to your 
health care provider and you need care, they need the 
information to treat you. It's not a situation where you can 
say, ``Well, you can't use my information to do this.''
    It also puts all of the burden on the individual to protect 
their own privacy, counting on them to read the consent form, 
understand what it says, sign it at the bottom, and then hope 
that actually what they have signed at the end of the day 
actually does protect their privacy in ways that they think it 
does. There is plenty of research that shows that people 
actually completely misunderstand what they read.
    I would much rather have a focus on creating some very 
clear rules about how providers can and can't use data, and 
penalties associated with the misuse of that data.
    Mr. DOGGETT. Seeing the red light is on, and understanding 
that consent, by itself, may not be sufficient to protect 
privacy, it would appear that in the Commerce bill, that 
doctors, concerning certain procedures, must obtain consent 
from patients before sharing this data. Is that your reading?
    Ms. MCGRAW. The--it is for health care operations----
    Mr. DOGGETT. Right.
    Ms. MCGRAW [continuing]. Which is a defined term in HIPAA, 
which isn't treatment and isn't payment, but is instead this 
sort of--I call it almost back office, things associated with 
treatment like a peer review, quality assurance----
    Mr. DOGGETT. You agree with that consent requirement?
    Ms. MCGRAW. I have some concerns about it, to be quite 
honest. Again, the focus--people will be--the consent forms, 
people--again, they don't read them, they don't understand 
them. What they end up being is potentially a shield for uses 
of data that would, again, be much better protected if we had 
some clear rules around how entities can and cannot use data. 
We worked with Committee staff to try to make that provision 
more clear, to make sure that it was linked to the minimum 
necessary rule. But, again, I still have some concerns about 
that provision in the bill.
    But, having said that, CDT does support the Energy and 
Commerce legislation and moving it forward, because we think 
there are some very important privacy and security protections 
in there.
    Mr. DOGGETT. But not necessarily without some changes. 
Okay.
    Ms. MCGRAW. We would encourage some changes. But, again, 
our support was not qualified. I don't want to be 
misunderstood.
    Mr. DOGGETT. Thank you.
    Chairman STARK. Thank you. Mr. Johnson, would you like to 
inquire?
    Mr. JOHNSON. Thank you, Mr. Chairman. You know, when you're 
following on that conversation, when you're talking with 
specialists--and there are a heck of a lot of them out there 
these days, as you know--the docs have to coordinate with one 
another. That information has to be passed.
    You know, Dr. Orszag, you repeatedly state that physicians 
have little incentive to adopt health IT, and state that 
physicians may actually have a disincentive, because the 
systems can lead to a reduction in the number of unnecessary 
tests and services. You have been a proponent of that, and 
claim we're spending too much money.
    If this is the case, then why are any physicians spending 
their own money to implement health information technology? 
There is a doctor practice in my district that was so motivated 
to implement an electronic health record, that they went from 
paper charts to paper free in three short months. They broke 
even on the investment in 18 months, and have reported a 
significant addition to physicians' annual income as a direct 
result of the technology. If they're doing fewer tests and 
services, which you state is the case, then they're making more 
money from something else. From all the conversations I have 
had with physicians who have adopted this technology, the 
scenario is not a one-time phenomenon. There happens to be 17 
physicians in that group that did that.
    Is this an inherent disincentive that dissuades physicians, 
or just that there isn't enough people out there, trying to get 
the equipment or associations or organizations spreading the 
good word of what technology can do for them? Do you have a 
comment on that?
    Mr. ORSZAG. Well, Mr. Johnson, as has already been asserted 
by the Chairman, I suppose in some settings I am a strong 
believer in the power of incentives and free markets. I will 
just look at the evidence. Ten to twenty percent of physicians 
have adopted. So, yes, there are some that find it in their 
interest to do so. But the vast majority don't, under the 
current system.
    The kinds of settings where there are--it is profitable to 
do so, there might be some losses from ordering fewer tests, 
but you save on administrative efficiencies. You may not need 
as many support staff to process things. You can often get 
internal efficiency benefits that offset any other effect.
    I would just come back, though, to saying in the current 
system we are clearly not getting take-up rates that are 
anywhere near what most people believe would be optimal. I 
don't think that is from a lack of health IT providers or 
vendors, you know, going out there and saying, ``We have these 
things that may help you.'' I think it is from complexity, and 
I think it's from a lack of direct incentives for especially 
small practitioners to adopt.
    Mr. JOHNSON. Well, I think we could appeal to physicians as 
small businessowners, and let them use the Tax Code to deduct 
the cost of the technology if they wanted to, and perhaps 
entice them that way. But it sure is a lot simpler dealing with 
a doc that has got that kind of data. I know the docs here know 
that.
    But you know, in Dallas, for example, you can--if you 
happen to have a doc that's got that IT installed, you can go 
to the hospital and you don't even have to fill out forms, 
because they can pop that stuff over there right now.
    Mr. ORSZAG. I don't think there is a person on this panel 
or in this room who is not annoyed at how many times you have 
to fill out forms when you go see a new doctor. We all are----
    Mr. JOHNSON. 18,000 times.
    Mr. ORSZAG. Yes.
    Mr. JOHNSON. Yes. It seems like the forms are duplicative. 
In the hospital, it is even worse, you know?
    Mr. ORSZAG. Yes, Sir.
    Mr. JOHNSON. There is a stack of them this high. So, if we 
can get rid of that, and the storage required for all that 
paper, it would be a marvelous improvement in our medical 
system, I think.
    Thank you, Mr. Chairman. I will yield back.
    Chairman STARK. Thank you, Mr. Johnson. Mr. Thompson, would 
you like to inquire?
    Mr. THOMPSON. I would. Thank you, Mr. Chairman. Thanks for 
holding the hearing, and thanks to the witnesses, for being 
here.
    I have got some concerns about how we make health IT 
available in the areas that I represent, specifically our rural 
areas. Dr. Orszag, you referenced the Robert Wood Johnson work, 
and they mention the fact that rural hospitals are 50 percent 
less likely to be able to have health IT, and that solo 
practices, which are, more often than not, in rural areas, fall 
under some pretty heavy constraints. It's more than just coming 
up with the capital to put this in place. There is maintenance, 
there is constant upgrades. Small practices, rural practices, 
rural hospitals don't have the opportunity or the ability to 
have a full-time IT manager in place.
    How do you--what recommendations do you suggest that we 
make sure we don't hurt these guys in our effort to help them, 
and help health care?
    Mr. ORSZAG. Well, the report that you referenced, CBO's 
report, also mentions that one thing you could do is, if you 
are going to go with the carrot approach, or the subsidy 
approach, you can vary it.
    So, for example, provide a larger subsidy to solo 
practitioners than to large practices. Or, I suppose you could 
also offer a larger subsidy to regional hospitals than to urban 
hospitals, for example.
    But I would again come down to the fundamental problem here 
is there is a lot of the benefit that is going to accrue from 
having a more universal system of health IT that is not going 
to be capturable--or directly capturable--to, say, that 
regional hospital. There is a national benefit here, in terms 
of capturing efficiencies in health care that will not--it will 
be very difficult to have it flow back to that hospital.
    So, there is this problem in that there is a national 
benefit and an overall benefit, and it's not exactly the same 
thing as the benefit to that regional hospital. That's just the 
way it is. It's very hard to come up with a way of returning 
that overall efficiency gain to all of the doctors that will be 
necessary in order to capture it.
    Mr. THOMPSON. Well, I am very worried that we understand 
that, and even in regard to the carrot approach, that we don't 
think that we can give some sort of incremental increase in 
funding, based on visits or something to pay for that. Because 
the rural guys also don't have the amount of folks coming in 
for visits that more populated areas do.
    Also, in the area--in the issue of interoperability, I 
would just be interested in hearing maybe Mr. Jones, if you 
could comment on this. In my rural district, I have doctors 
that--one doc will work in three or four different hospitals in 
three or four different areas that will be out of county, out 
of city.
    In your work in regard to interoperability, do you take 
this into consideration, and--the cross-jurisdictional 
boundaries?
    Mr. JONES. Yes. I think that there are a few aspects to 
that. One is people are realizing these days that there was a 
lot of energy focused on trying to reconcile patient data, 
given that patients go to multiple places. But the same is true 
for providers.
    So, I think that similar technology that allows you to 
reconcile who this patient is can also allow you to reconcile 
who the doctor is, so you can pull the information from----
    Mr. THOMPSON. So, you would envision interoperability that 
crosses jurisdictional boundaries, and every city would have 
the same electronic ability, every county, every area where you 
would get this cross-pollenization?
    Mr. JONES. I think, from a technology standpoint, yes. I 
think what starts to become the barrier are the policies that 
those different jurisdictions have to work out, in order to 
facilitate that.
    Mr. THOMPSON. I have been involved in the--in California, 
in bringing technology forward for programs such as the welfare 
program in California. You couldn't get cities to agree--let 
alone counties to agree--on what type of technology you would 
use. I would just think it would be very difficult for 
individual hospitals, and especially individual hospitals run 
by individual companies, and operating in different 
geographical areas.
    Mr. JONES. Yes. I think that it does require a focused set 
of policies for this purpose of interoperability. That's what 
we found in New York, for example, in some of the RHIO's. 
Hospitals may have different policies about how they correct 
errors in patient data. But when it came to the community-wide 
view of that data, they had to have a separate policy that 
allowed them to have a common understanding of how that data 
would be treated. So, I think it has to be purposeful in that 
way.
    Mr. THOMPSON. Thank you. Thank you, Mr. Chairman.
    Chairman STARK. Mr. Becerra, would you like to inquire?
    Mr. BECERRA. Thank you, Mr. Chairman. Thank you, to the 
panel, for your testimony.
    Mr. King, let me start with you. My understanding is you 
have a very low percentage of your patients who pay through 
Medicare.
    Dr. KING. About 3 percent. However, 40 percent is Medicaid.
    Mr. BECERRA. Right. But Medicare is about 3 percent?
    Dr. KING. That's correct.
    Mr. BECERRA. How many patients would you say you see in a 
year in your different clinics, roughly?
    Dr. KING. We see 32,000 total patients, individual 
patients----
    Mr. BECERRA. Okay, and----
    Dr. KING [continuing]. In all the clinics combined. Is that 
the question?
    Mr. BECERRA. Yes, that's fine.
    Dr. KING. Okay.
    Mr. BECERRA. If we were to go toward a system to try to 
incent the institution of a HIT throughout the country, and 
certainly in your clinic--and while you have moved forward, 
chances are if we're doing it through Medicare, you're going to 
get very little money back.
    Dr. KING. That is correct, because we don't have a lot of 
Medicare patients.
    Mr. BECERRA. But you do have a lot of Medicaid patients.
    Dr. KING. Yes.
    Mr. BECERRA. Do you get any SCHIP patients?
    Dr. KING. We get some of those, as well.
    Mr. BECERRA. Okay. Do you get any other form of government-
subsidized payment for patients that you see?
    Dr. KING. Off the top of my head--you're talking about 
Federal?
    Mr. BECERRA. Or state.
    Dr. KING. We get tobacco tax.
    Mr. BECERRA. Okay.
    Dr. KING. There is some, like, special programs, like well 
women programs and----
    Mr. BECERRA. Well, there----
    Dr. KING. We also have WIC.
    Mr. BECERRA. There are programs sponsored, supported, 
subsidized by the government--Federal, state, and maybe local--
that offer you some reimbursement for some of the patients 
which you see, because most of the folks you see, obviously, 
are modest income or uninsured.
    Dr. KING. Absolutely. We have 50 percent uninsured.
    Mr. BECERRA. Okay.
    Dr. KING. For every dollar that we get for uninsured 
patients, we spend about $2 on them. So, we do that by 
leveraging the money we get from Medicaid, primarily.
    Mr. BECERRA. Your clinic is like thousands of clinics 
throughout the country who provide care to some 16 million 
people in America who otherwise might not have access to good 
health care. So we thank you for that.
    My question, then, is if we go toward a model that only 
seeks to use Medicare to try to provide the incentive for 
health IT, is that going to help the community clinic universe 
that's out there, providing care to some 16 million Americans?
    Dr. KING. It would leave us out.
    Mr. BECERRA. It would? Do you think there is any reason why 
we couldn't use Medicaid as a mechanism to try to offer 
incentives to adopt HIT?
    Dr. KING. No, Sir. I think that's----
    Mr. BECERRA. Can you think of any reason why we wouldn't 
want to consider using the SCHIP program to perhaps also adopt 
HIT?
    Dr. KING. Perhaps it doesn't penetrate deep enough. That 
would be my only concern.
    Mr. BECERRA. But we are providing it to some six million to 
seven million kids right now.
    Dr. KING. Right.
    Mr. BECERRA. If Congress is successful in overriding the 
President's veto, we would include another five million kids 
from modest-income families. So, that might be another 
mechanism?
    Dr. KING. Makes sense, yes.
    Mr. BECERRA. Okay. Dr. Orszag, is there any reason that 
you're aware of why Medicaid or SCHIP could not also be 
considered vehicles through which we would try to incent, 
positively or negatively, the adoption of HIT?
    Dr. ORSZAG. No, I can't think of a reason. Indeed, it's not 
just community clinics, but also pediatricians and other parts 
of the medical system that would be left out in a Medicare-only 
approach.
    Mr. BECERRA. You forecast my question to Dr. Ejnes, and 
that is, is there any reason, Dr. Ejnes, that you think that we 
should not consider using SCHIP or Medicaid, as well as 
Medicare, for potential vehicles to try to incent the adoption 
of HIT?
    Dr. EJNES. No, I can't think of any reason. I think all 
payers have a stake in this.
    Mr. BECERRA. Okay, good. Dr. Orszag, do you have a sense--
and this may go beyond what you have examined--but do you have 
a sense of how much an incentive, positive or negative, and 
over what timeframe we would have to do this, in order to try 
to really capture the providers out there in America into this 
system of HIT?
    Mr. ORSZAG. Well, I guess that's similar to a question--it 
depends on how deep an incentive you want to provide. It's 
similar to the question of how much it would cost to move 
towards universal health IT. The answer is, it depends on the 
systems adopted, but something in the range of tens of billions 
of dollars. In your head, if you want something, you know, $50 
billion to $70 billion or so is the kind of number that you 
should have in your head.
    You obviously don't need to pay--you don't need to fully 
subsidize that, if you don't want to, but that is the kind of 
range that one might want to have in your mind, if you are 
thinking about the total cost.
    By the way, that--just coming back to the earlier 
question--that's for adoption, and then there are ongoing 
maintenance and other costs.
    Mr. BECERRA. I appreciate that. Thank you, Mr. Chairman. I 
yield back the balance of my time.
    Chairman STARK. Thank you. Let's see, who--Mr. Emanuel, 
would you like to inquire?
    Mr. EMANUEL. Thank you, Mr. Chairman. Dr. Orszag, if you 
look at IT, or look at your $700 billion of what you think are 
savings through efficiency in otherwise spent dollars, you have 
the chronic illnesses, wellness programs--the other side of 
that chronic illnesses--you have paying doctors for outcomes, 
rather than fee-for-service, you have IT.
    Break down the parts--and I know this is a rough game--and 
I am a little confused, because some people are saying what you 
said, and then other people's testimony is slightly different, 
that IT kind of is the foundation to all these others. Then, 
you are saying that IT is just a piece of those, and--you know, 
the others--and it's just a composite.
    So, is IT the essential combination to the lock of the 
whole $700 billion, or do you see it as just a part and parcel 
of other sets of pieces that would get us at that $700 billion?
    Mr. ORSZAG. It unlocks one of the locks, but there is then 
a bolt and other things on the door, so there are many other 
things that have to happen in order for----
    Mr. EMANUEL. Don't ruin a bad metaphor of mine, okay? It 
was horrible when it started. Please, don't do that. Go ahead.
    Mr. ORSZAG. Health IT--so the report says, and in terms of 
foundations, think of health IT as necessary but not 
sufficient. You need to do it in order to get the data to do 
comparative effectiveness research, and then to pay for what 
works. That is crucial, including for those needing chronic 
care and those with multiple chronic conditions.
    But by itself, if you just plop a health IT system into a 
fragmented system with distorted incentives, don't expect 
magic. You're not going to get the $700 billion by just putting 
health IT in.
    Now, if you want to start breaking it down--the problem is, 
if we need to make three or four changes in order to capture 
that efficiency, and they're all necessary, you can't--I can't 
give you a breakdown on how much is coming from this piece 
versus that piece.
    Mr. EMANUEL. Well, let me ask you this way. Tell me if this 
is right, that we spend about 60 percent of our dollars on 
chronic illness that, if those were managed better, you would 
see a reduction of health care costs.
    Mr. ORSZAG. The majority----
    Mr. EMANUEL. Close?
    Mr. ORSZAG. It depends exactly, but yes. The majority of 
health care costs are going towards very seriously sick people. 
By the way, that's where a lot of this variation that is 
occurring across the United States is occurring, also.
    Mr. EMANUEL. Let me understand, because I think one of the 
problems when I looked at the report also is about how much 
Germany has spent, Great Britain has spent, versus what we 
spend on a per capita basis. We're like in the pennies, and 
they're spending $21 a patient, et cetera.
    We discussed this, Democrats on the Committee talking 
yesterday, on the IT space. You know, I noticed last time when 
we did a spectrum sale, we thought it would generate about $10 
billion in revenue, and it generated $19 billion. Have you ever 
looked at using that type of revenue, of asset sales as--in a 
dedicated area that would go into a health IT? We can do it as 
a revolving fund, et cetera, as a way to leverage those 
dollars, but selling some type of asset to generate this--what 
you would call start-it-up capital for this specific space?
    If you were to do that, what would be the first type of 
payments you would do, given what you said, you know, medical 
IT has to be in combination with other things?
    Mr. ORSZAG. First, let me say on Federal assets, I think 
there is a substantial amount of Federal assets that could be 
better managed, and potentially sold in exchange for revenue 
that could be used for other things, and that--spectrum, by the 
way, if you move toward addressing climate change, you're also 
creating a very valuable commodity there. Federal properties 
and land and buildings, and what have you, there are all sorts 
of assets that we are not optimally managing, and that could be 
used for this sort of thing.
    I have not actually thought about what would be at the top 
of the list for this specific application, but the general 
thought, I think, is a very good one.
    Mr. EMANUEL. All right, thank you. Mr. Chairman, I yield 
back.
    Chairman STARK. Thank you. Ms. Tubbs Jones, would you like 
to inquire?
    Ms. TUBBS JONES. Mr. Chairman, thank you. To the speakers, 
thank you for coming this morning. This is significant, that we 
are talking about IT as we transform the delivery of health 
care from people who used to walk up to a doctor's door, and 
the doctor did everything that they needed to, large systems 
delivering health care.
    I want to commend my staff, Athena Abdullah, for a 
wonderful opening statement. It's so good, that I am going to 
read a part of it before I ask you questions.
    The requisite tools and technologies are viable if a 
company--let me back up and start from this page.
    Our current care delivery model requires a myriad of 
Federal and state laws, and regulations that are difficult to 
understand and navigate for large payers and providers. 
Vulnerable and under-served populations rarely have the 
resources or tools to effectively understand and navigate the 
mix of Federal, state, and local entities engaged in providing 
their health care. The requisite tools and technologies are 
viable if a company by culturally, linguistically, appropriate 
outreach and educational initiative, advocacy and public policy 
strategies, work force development and training ventures, and 
concrete options for funding and sustainability.
    A comprehensive approach will be required to bring under-
served populations into our National HIT framework to achieve 
improved health quality and access for racial and ethnic 
minorities, and other under-served and vulnerable populations.
    Health information technology is widely viewed as a tool to 
improve health quality and expand health access for consumers 
in the United States. Public, private, and community 
stakeholders have a vested interest in insuring that all 
communities participate fully in the benefits of health 
information and related technologies.
    Just last evening, I held my first telephone townhall 
meeting with my constituents in the 11th congressional district 
of Ohio. What I found very interesting was the reception or 
receptivity of people to having access to that process. It made 
it a lot easier for seniors who may not get out of the house, 
who could do it by telephone, contact by telephone.
    But the dilemma I see, and the dilemma I see as we walk our 
way through this whole technology piece, is the need to be 
inclusive of those who historically are not accessing 
computers, technology, who are afraid to even think about 
getting on a computer. I would be curious to give each of you 
the three minutes that I probably have left at this point to 
answer for me, how do we bring into this world the people who 
are not into technology, who also are not necessarily into 
accessing improved health care? They want better health care, 
but they don't always receive it.
    I am going to start with Mr. Jones, and I am going to come 
to Dr. Orszag, and anybody else can pipe in. Mr. Jones, I 
picked you because I think you can help me answer that 
question. Go ahead, Sir.
    Mr. JONES. Well, thank you. I think that a----
    Ms. TUBBS JONES. Also, we might be related, you know, so we 
might as well take----
    [Laughter.]
    Mr. JONES. We may be. We may be. I think that the--a lot of 
what we're talking about is the ability for those who would 
assist those under-represented populations to be technology-
enabled.
    So, for example, in Philadelphia, where I live, there are 
several academic medical centers--University of Pennsylvania 
Hospital, Temple University Hospital System--who serve a lot of 
these who are disenfranchised. So, I have had talks with both 
of them--and I know that they have initiatives--in order to try 
to upgrade their IT capabilities, so that they can extend the 
benefit of that to the populations they serve, whether it's 
through their hospitals or their physicians, who are affiliated 
with the hospitals.
    So, I think that is one way. If we can go to urban centers 
and other places where these populations are and empowered, the 
providers, to be able to access this technology, it would be 
helpful.
    Mr. ORSZAG. Yes, if I could just add, I mean, this is 
related to the discussion we were having earlier about 
community clinics and other providers that are serving, 
disproportionately, those populations.
    But let me back up and say I think an absolutely huge issue 
that has received far too little attention--we have heard a lot 
about inequality in income; we have heard far too little about 
inequality in life expectancy and other health outcomes. Life 
expectancy inequality in the United States is exploding by 
income.
    So, at the top of the socio-economic distribution, life 
expectancy is going up much faster. At the bottom, it is either 
flat, or perhaps even declining. I think this is a major issue 
that has received very little attention.
    Ms. TUBBS JONES. I appreciate your response. Mr. Chairman, 
my time has ended. But I would hope that, at some point, we 
could--he is not paying attention to me, so I'm going to keep 
talking. No, I hope that we have an opportunity to further 
explore that very issue.
    You will remember back--President Bush said to people of 
color, ``I am going to help you get Social Security, because 
you die early.'' We kept saying, ``Don't tell us--help us get 
Social Security, stop--help us not die early, you know, stop 
us--the death decline of minority populations.'' So, I thank 
you for your----
    Mr. ORSZAG. Well, while the Chairman is distracted, maybe 
we should say there should be a hearing on the topic, or----
    Ms. TUBBS JONES. I think there should be a hearing. All in 
favor, say----
    [Laughter.]
    Chairman STARK. We had a hearing in June.
    Mr. KIND. You just lost control of the Committee.
    Chairman STARK. I think so, yes.
    Ms. TUBBS JONES. I yield back the balance of my time.
    Chairman STARK. Yes, your time just expired.
    [Laughter.]
    Chairman STARK. Mr. Kind, would you----
    Mr. KIND. Thank you, Mr. Chairman. I want to thank our 
panel of witnesses today. I think this is an incredibly 
important topic, and we really do need to wade into the weeds a 
little bit more on this.
    The reason I think it's important is I think it's 
imperative that we do strive to reach a both public and private 
reimbursement system, based on outcomes in performance, value 
of care, health care. The only way we're going to be able to do 
that is if we can establish the standards of what that outcome 
in performance should be. The only way we can do that is 
collect the comparative analysis and the data. The only way we 
can get there is with an effective, fully interoperable HIT 
system, one that deals with the privacy and the security issues 
and that, but one that is completely interoperable.
    Now, the details get difficult and tricky, and that's where 
you all are supposed to be helping us with type of incentives, 
disincentives that we can create in order to get this build-out 
and this infrastructure done sooner, rather than later.
    I am proud to hail from a state that seems to be at the 
forefront of this movement in Wisconsin, with their quality 
health care collaborative initiative that they have, where all 
the providers have voluntarily agreed to come together to 
develop the comparative standards of care that we should be 
striving for. It is unfortunate that Mr. Reding wasn't able to 
make it here from Marshfield Clinic, because they have been 
doing some very interesting and exciting cutting edge things 
involving all this.
    But, Dr. Orszag, let me start with you. We hear this $700 
billion figure mentioned about potential savings in the 
Medicare system. Now, is that assuming that we get to this 
outcome, or performance-based reimbursement system with HIT in 
there and all these difficulties that have been discussed today 
resolved? Or does that involve other factors?
    Mr. ORSZAG. Two things. First, that's for overall health 
spending, it's not just Medicare. Second, it is in--it's kind 
of scoping out what the potential is, and it would require the 
type of health IT system that we were discussing, it would 
require an aggressive comparative effectiveness research 
effort, it would require a substantial change in payment 
methodology, but under Medicare and the rest of the health 
system, in order to capture even a significant portion of it, 
and there would be lots of sort of political economy 
difficulties in doing that.
    It is intended just to say, ``What's the potential,'' while 
recognizing the massive constraints we face in trying to 
capture that.
    Mr. KIND. My sense, too--as you said, 15 to 20 percent are 
already doing it, they've already made the investment and gone 
to HIT, you know, the various systems out there--but my sense 
is that this is also a generational thing. You've got some 
older practitioners out there that might be a little more 
loathe to make the conversation.
    My sense, too, is it's kind of a difference between 
established hospitals with huge paper records already in 
existence, versus newer provider networks that are just getting 
up and going, and are willing to make that initial up-front 
investment.
    But one of the areas--and I want to kind of wade into some 
sensitive area here, too--is we all realize there are 
substantial costs, as far as end-of-life care. I am just 
wondering what difference a performance or outcomes-based 
standardized system would make, when it comes to medical 
decisions involving the final 6 weeks or 6 months of life, 
because it seems inherently subjective and so much depends on 
the attitude of the consumer, the patient, at that point, what 
their expectations of care really are.
    I think one of the problems that we have in health care is 
we're not listening to the patients well enough when it comes 
to end-of-life care. Because I think, if we did, there would be 
an inherent more conservative attitude from most folks that 
what they really want is a chance to be at home, surrounded by 
their family and loved ones with pain medication to deal with 
it, but a chance to be in that type of setting, as opposed to 
multiple tests and prolonged ICU stays, and things of that 
nature. We really haven't touched about end-of-life care, and 
it is a big chunk of what we're dealing with here.
    Mr. ORSZAG. Let me come back and say, again, if you look at 
the last six months of life, even at our leading medical 
centers, you see dramatic differences in the intensity of 
services, how many of those tests are being done, how many 
specialists you're seeing and what have you, which to me 
suggests, I mean, even at those places where, basically, the 
best medical care in the world is delivered, we are delivering 
it in different ways across different parts of the United 
States, and we don't know what we're getting in exchange for 
the more intense approaches.
    Health IT and comparative effectiveness--the things we are 
discussing, would let you drill down in why--what are we 
getting, in exchange for that additional test, that additional 
procedure, that additional day in the hospital, which we can't 
answer now, and which many people express a lot of skepticism, 
in terms of whether there is any additional benefit.
    I would also say there is evidence suggesting that when 
people are confronted with the types of choices that you are 
discussing, they do often choose the less expensive, less 
intensive approach.
    Mr. KIND. All right. Thank you. Thank you, Mr. Chairman. I 
appreciate the hearing today.
    Chairman STARK. Thank you. Ms. Schwartz, would you like to 
inquire?
    Ms. SCHWARTZ. Thank you very much, Mr. Chairman. Again, 
thank you for your courtesy that you have extended to me. I 
really appreciate it, as--I don't know what to call myself--an 
adjunct visitor here.
    But I wanted to--I think that I am here because I am very 
keenly interested in health IT, and some of you certainly know 
that we had, I thought, a very significant victory last week, 
with including e-prescribing--I pushed pretty hard for that--in 
the Medicare bill, with tremendous support, of course, from the 
Committee chair and the Committee, more broadly.
    I have actually seen a great deal of interest expressed to 
me about the fact that we did get e-prescribing done. I think 
almost--now there are other members coming to me and saying, 
``Wow, I think we just did something really important, and we 
ought to do more of it.''
    So, I think it's creating an enormous opportunity for us to 
proceed with incentivizing. As you know, under e-prescribing, 
we used both carrots and sticks, as Dr. Orszag pointed out, to 
use that model, moving forward. Now, of course, this is much 
more complex, to use electronic medical records more broadly. 
You raised a lot of the issues we have to deal with.
    As I understand it--and there are many places for me to go, 
actually, in terms of my questions, but I wondered if you could 
give us some help on one aspect that we understand, which is 
just moving from paper to electronic records is simply not good 
enough. It might make it easier, but it isn't going to achieve 
the savings or the improved quality, unless it's really a 
comprehensive medical record, and it really changes behavior by 
the providers, and hopefully by the patients, as well.
    We are looking at protocols, you know, different kinds of 
information that might be available not only between providers, 
but even for an individual medical practice or an individual 
provider.
    So, instead of my giving the list of possibilities of 
evidence-based clinical protocols and things that might be 
added to this, could you better define what kind of conditions, 
or could we articulate what we would say if we were going to 
provide incentives for use of electronic medical records, what 
conditions, what the definition of those electronic medical 
records would contain?
    You know, what would the expectation be that, again, this 
isn't just going to--going from paper to electronics, but what 
kinds of actions, what kinds of conditions, in addition to the 
privacy ones, in terms of patient practice, I think is--you 
know, I mean physician practice and hospital practice--that we 
might want to outline, define? Do you think we could do that?
    We haven't heard much of anything--start with you.
    Dr. EJNES. Yes, I think, you know, you're absolutely 
correct. Just going to collection of word processing documents 
that are legible is not an electronic record that is going to 
make a difference.
    But certainly you spent a lot of time discussing what we 
refer to as decision support. That is something that we think a 
full-bodied EHR should have: decision support in terms of 
providing guidance on how to treat a condition; what types of 
evidence there are; reminders on monitoring, if someone is on a 
certain medication, what needs to be checked; the ability to 
check allergies, look at drug interactions; the ability to keep 
track of patients, the registry functions, if you will, so 
that, you know, we can get reports on how we're doing with our 
diabetics in the practice, or our hypertensives; and the 
interoperability, the ability to capture the information that 
the other doctors taking care of the patients can provide.
    So, I think you are correct. The EHR has to be able to do 
more than just digitize what's in the charts in the record 
room.
    Ms. SCHWARTZ. Two quick questions to follow up on this one. 
Is--do you think those are well defined enough for us to be 
able to articulate them and require them?
    Do you think that we can create a system--and do you have 
suggestions for how to make sure that that is dynamic enough so 
that we don't set it in place?
    We always have to be concerned about that here, that we set 
it in place so that it doesn't--it's got to change very 
frequently, it's got to be very dynamic, in order to--medical 
science changes all the time. You want to be able to say, 
``Okay, it wasn't last year's protocol. We want it to be 
today's protocol,'' and we have to make sure that that's 
dynamic. Would you suggest how we actually make sure that 
happens?
    Dr. EJNES. Yes, I think we can define what it is. In fact, 
a lot of the surveys that look at EHR uptake distinguish the 
full-fledged ones from the others. I think the certification 
commission has played a major role in defining the various 
functionalities that an EHR should have. So, I think we're on 
our way there.
    Ms. SCHWARTZ. Maybe Dr. Orszag wants to answer this if 
anyone else does--so how much savings could we reap, if we 
actually do do it right? I do understand that that is a big 
question. But, assuming we do do it right, we want to 
incentivize this behavior, I am willing to see a stick at the 
end of the day.
    How long will it take--maybe this is a question for anyone 
else, too--but how long will it take for us to reap a 
significant return on our investment and savings in the system?
    Mr. ORSZAG. I think, again, it comes down to what do you 
mean by ``doing it right.'' If doing it right means just health 
IT, I----
    Ms. SCHWARTZ. No, no, no. I have already expressed the fact 
that this is----
    Mr. ORSZAG. You've got the whole thing. Okay.
    Ms. SCHWARTZ. Right.
    Mr. ORSZAG. You've got the whole package. You are doing----
    Ms. SCHWARTZ. It is interoperable, it has protocols that 
we're going to define quality, we're going to----
    Mr. ORSZAG. Yes, but I am also going to layer on you're 
doing an aggressive comparative effectiveness effort, so that--
--
    Ms. SCHWARTZ. Okay.
    Mr. ORSZAG [continuing]. You are using the data that are 
coming out of that, and then you are actually then tying 
financial incentives for providers to the evidence that is 
coming out of that, despite all of the backlash that would then 
ensue.
    Ms. SCHWARTZ. Right.
    Mr. ORSZAG. You do all of that, and you do it very 
aggressively, I think that is the best hope for capturing a 
large share of that $700 billion. I can't quantify exactly how 
much, but it is--the more aggressive you do it, the more likely 
it is you're going to capture more of that efficiency.
    Ms. SCHWARTZ. Okay. Thank you, Mr. Chairman.
    Chairman STARK. Thank you. Mr. McDermott, would you like to 
inquire?
    Dr. MCDERMOTT. Thank you, Mr. Chairman. I would like to 
follow a little bit of the Chairman's line of questioning, 
because a couple of people reacted negatively to one of his 
suggestions--that is, that we have one system, or can we get it 
down to one system.
    When I was a medical student, I did research. You could 
find 2 left-handed plumbers living in a town of under 40,000 
people in the Danish health records with no problem at all, and 
you still can't do that in the United States.
    So, it strikes me that before we spend a time on 
incentives, there has to be a set of standards that are 
acceptable--the government puts out 65 percent of the health 
care money in this country already, with Medicare and Medicaid 
and Indian health and veterans health, and the DoD. So, we 
should set a standard at the Federal level. I will tell you why 
I feel this way.
    I spent 5 years trying to get the veterans system and the 
Department of Defense to talk to each other. Much of that 
Veterans Administration stuff was done in Seattle. I have seen 
doctors sit there with two screens--one, the VA screen, and 
one, the DoD screen--some guy in Iraq comes back all beat up. 
He is discharged from the military. He goes into the Veterans' 
system. His military records are still at DoD. The two systems 
won't talk to each other.
    I talked to admirals and generals and everybody up and down 
the medical line, and what I found was that there was a 
proprietary system developed by the military. God knows we 
can't touch a proprietary system. When we have this VA system 
which is a much better system, much more applicable, much more 
widely--it's now used in hospitals in Seattle, where people 
from the community can check into the Veterans' system if a 
veteran appears at the Swedish hospital, or at the university 
hospital, or whatever.
    I reacted when I heard a couple of you--I think it was one 
of the doctors said, ``We don't want a single standard.'' I 
understand that the free enterprise system wants to let a 
thousand flowers bloom. But explain to me how is a physician--
if the point of the system is research, that is, we can compare 
across the country, and it is to give better health care, that 
is, since your patient appears in my hospital I can go in and 
find the information, why you wouldn't want one interactive 
system that would be--I mean, I have the problem with two 
computers, one in here in Washington, DC, and one in Seattle, 
and they can't seem to get the same thing on the screen when I 
open it up.
    Dr. EJNES. Yes, yes. Just so that I am--you know, we're 
clear, this is--it's confusing, because we talk about system. I 
think I misunderstood the Chairman's question, initially. I 
thought he was asking about the software application that sits 
on the physician's desk.
    I mean, I think we are all in agreement that there should 
be a system, there should be a common language that allows the 
information to be exchanged. My point was that, given that 
every physician's office differs in one way, shape, or form 
from another, to require a single software program that would 
be the EMR for all physicians would not be successful, because 
the needs of a large 50-physician group are different from 
those of a 2-physician group.
    But in terms of the ability to take whatever sits on that 
desktop in that office, and exchange the information in the way 
that you describe, I think we're all on the same page, and we 
do support standards, we do support a system of health 
information exchange that allows different entities with 
different systems--either proprietary or open source--to 
exchange patient information. But when you get down to the 
institution level, to the practice level, there may be specific 
needs that may not be met by a one-size-fits-all application.
    Dr. MCDERMOTT. But then--and here is the problem, it seems 
to me. We pass an incentive out of here, we put billions of 
dollars out there and we say, ``Okay, guys, everybody in the 
medical profession should now be a part of the system,'' and 
they all plug into what?
    What is incentivizing them to become a part of? Just to 
have hand-held devices, or are we a system, or what? What is it 
we're incentivizing? I would like to hear what----
    Mr. WHITLINGER. Perhaps the analogy could come from the 
financial sector. I mean, there are hundreds----
    Dr. MCDERMOTT. No, this is medicine. Talk about how it 
works in a hospital.
    Mr. WHITLINGER. But if you think of the banking center, 
where there are thousands of banks, and each of those banks has 
its own data center and its own ability to store its data, keep 
it private, keep it secure, and give its own members the 
quality and the services of banking that they would like to 
provide, yet all those banks are interoperable, all those banks 
can exchange data, with regards to funds.
    Dr. MCDERMOTT. So, is it----
    Mr. WHITLINGER. Perhaps that is the analogy----
    Dr. MCDERMOTT. The reason you need the different systems is 
because you want to protect the privacy of patients? Is that 
what you're talking about?
    Mr. WHITLINGER. Well, you could----
    Dr. MCDERMOTT. Why not have a system that I, as a doctor, 
could get in and read?
    Mr. WHITLINGER. So, you could look at it from a couple of 
different perspectives. But one is that, perhaps, different 
medical practices would be offering different services. Another 
is that they could be competitive by offering different 
services of a data nature, as well.
    Now, the fact that they can interoperate allows the system 
that we would all like to have, where you have transportability 
and importability of the data and the patients----
    Dr. KING. My feeling is that Vista was paid for by 
taxpayers, and it should be available to taxpayers. It is a 
great system that evidence in the literature has literally 
hundreds of citations to support how good that it operates. 
It's the most interoperable system that exists in the United 
States right now, between specialists and everyone in the VA.
    I think my personal feeling is that if we were going to sit 
down and design a system, we wouldn't be having--a health care 
system--if we started from scratch with a blank piece of paper, 
we wouldn't be asking this question. We would have one system, 
because that's what makes sense. The reason we are asking the 
question is because nobody designed the health care system, and 
it is a mess.
    I personally believe we should have one system, and we 
should have competition at the vendor level. That would keep 
the health care costs in the health information technology 
arena down, because then you would have vendors that are 
competing against each other. Once you go proprietary, then you 
have to keep with what their support costs are, and you're 
locked in.
    Dr. MCDERMOTT. So, you're saying you want something like 
what's happened with the tanker issue in the Air Force. You 
want to have two vendors compete for who can build the best 
tanker. Is that the----
    Dr. KING. I'm not really familiar with that. I am not sure 
that's what I am advocating.
    Dr. MCDERMOTT. Who could pay off the auditors, is what I--
--
    Dr. KING. Did the tankers sink?
    [Laughter.]
    Dr. MCDERMOTT. The problem with that is that--I was a state 
legislator, and I bought the first computers for the Department 
of Health and Human Services in the state of Washington. I 
spent millions of dollars on them, and we threw out system 
after system after system that one vendor came in and sold us, 
and that one didn't work, or they couldn't make it work, so we 
threw out a--we came--I don't know how much money we have 
wasted in this country on buying systems.
    I want something like Vista to----
    Dr. KING. Right. But if you have one system, then what you 
can have is many vendors supporting that system. So, then you 
have the competition at the vendor level, instead of at the 
system level. I think that could save a lot of costs.
    Mr. JONES. If I might point out, though, there are multiple 
kinds of systems that are involved. So, electronic health 
record is one thing that you may use in a physician office, but 
it needs to get information from a lab information system that 
a reference lab uses.
    There is also a hospital information system which is 
different than an electronic health record system. There are 
systems that hold images. So, all of these different kinds of 
systems need to speak with one another. So, specifying one 
electronic health record system is sort of the camel's nose in 
a tent, because then you have to specify one lab information 
system, and one--you know, you ultimately would have to specify 
everything not only that exists, but that could be imagined.
    So, we would have to--it is better to say, ``Let's specify 
the way that they would speak to each other,'' and mandate 
whoever has a system does it that way.
    Ms. MCGRAW. One of the--I know we're over, but one of the 
things that nobody has mentioned yet is the certification 
commission for health IT. The standards bodies that have been--
the standards body that Lee has referenced, again, they are 
bringing the stakeholders together to come to agreement on what 
the common standards should be, so that these systems--which 
may themselves, in the software, have differences--at the level 
of creating a national health IT network will be able to talk 
to one another.
    The certification commission, which is a contractor to the 
Federal Government, is being paid to come up with standards for 
certifying products that meet those standards, so that people 
buying the system that meets the CCHIT criteria know that they 
have bought a system that has the standards that essentially 
have been adopted or endorsed through this process. So,----
    Chairman STARK. Would you yield?
    Ms. MCGRAW. Yes, Sir.
    Chairman STARK. I am informed that they are certifying 
systems that can't talk to each other.
    Ms. MCGRAW. Well, that would be quite unfortunate. I----
    Chairman STARK. That's my understanding of----
    Ms. MCGRAW. But I think it is worth looking into, so that 
we get some clear information here.
    Chairman STARK. Yes. Yes, it is.
    Ms. MCGRAW. Because, from a consumer standpoint, I do worry 
about blessing one system that everyone has to buy, from a sort 
of innovation standpoint. Stifling that----
    Chairman STARK. What about if it's one system that we give 
them free?
    Ms. MCGRAW. Well, somebody has got to pay for that.
    Chairman STARK. We already have, haven't we, Dr. Pete? It's 
Vista. We can continue this informally, if we like. We can give 
our clerk a reprieve and call the formal session to an end. 
Hopefully, some of you would like to stay and discuss this.
    Thank you. I want to thank the panel. Thank you very much, 
Dr. Orszag, who normally would go off first by himself and get 
out of here a lot sooner, thanks for sticking around, Peter, 
and thank you all for taking the time. It has been very 
helpful.
    We are going to call you back. I know we're going to need 
more information. Be well.
    [Whereupon, at 12:10 p.m., the hearing was adjourned.]
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    [Submissions for the Record follow:]
                          Alex Hill, Statement
    Clinical patient data is stored in a variety of electronic systems. 
These systems use a variety of programming languages and database 
systems to store and maintain the patient data. These systems encompass 
a mix of proprietary systems from commercial vendors, open source 
systems and systems developed at taxpayer expense by government 
agencies. However, combining data from different systems (a) to obtain 
a comprehensive view of an individual patient, or (b) to analyze large 
volumes of data for public health purposes, is a major IT problem. This 
problem is particularly acute in U.S. Healthcare since the majority of 
computer systems used in U.S. hospitals are based on legacy 
technologies, the most prominent of which is MUMPS. This is 
particularly true in the case of the hospital networks of the Veterans 
Administration (VistA) and the DOD's Military Health System (AHLTA/
CHCS). However, it is also true of the systems offered by most of the 
leading commercial vendors of hospital systems.
    The above problems are not unique to Healthcare. The same 
challenges are faced across all industry sectors whose systems are 
based on legacy technologies. Recently, an Israeli software company, 
CAV Systems Ltd, developed a set of solutions that address these 
challenges and the solutions are already being successfully deployed 
there.
    Since these solutions are not industry-specific, they can be 
equally well applied to the challenge of legacy data and software in 
the U.S. Healthcare Industry. The potential benefits include billions 
of dollars in savings and accelerated progress towards the goal of a 
fully interconnected health IT infrastructure years ahead of present 
estimates.

The Problem of Legacy Systems and Data

    (1) MUMPS is used by over 90% a majority of hospital EHR 
applications and information systems  in the U.S.

1.  What is MUMPS?

    It is a programming and database system developed 4 decades ago at 
Massachusetts General Hospital. It was subsequently adopted by many in 
the Healthcare community but is also used in other industry sectors.

2.  The ``pros''

    At the time that MUMPS was conceived, the prevailing computer 
hardware, software, and programming staff were oriented towards the 
needs and economics of business rather than the needs of clinicians. 
MUMPS addressed the needs and economics of the clinical side of 
hospitals--and did so successfully.

3.  The ``cons''

    Computer Science has advanced considerably since MUMPS was 
conceived. Several of its features that were viewed at that time as 
powerful, productive and beneficial are today no longer viewed as 
``good practice'' for designing and programming complex systems such as 
Healthcare. Indeed it is the use of these features that is the source 
of many of the challenges facing the U.S. Healthcare industry at the 
present time. That is why they are today viewed as ``bad practice''.
    (2) Many hospital systems in use in the U.S. today are effectively 
``abandoned'' either because the vendors have gone out of business or 
have been acquired by competitors whose interests are to ``sunset'' 
these legacy systems (because they are based on MUMPS) and push new 
expensive systems that many hospitals--particularly those serving rural 
and smaller communities--simply cannot afford. The result is that 
``patient data is trapped'' inside these legacy systems and cannot be 
accessed in any convenient, timely and affordable manner by other 
clinicians outside of the legacy system. This negatively impacts 
patient care.
    (3) The cost of new Hospital Information Systems is staggering.
    The power of computers has grown by orders of magnitude during the 
past two decades and the relative cost has decreased. The 
sophistication and usability of software has likewise advanced 
enormously during the same period and the relative cost has decreased.
    One would therefore expect the cost of Hospital Systems would 
reflect these trends. However, with rare exceptions, the opposite has 
been the case. The costs of upgrading hospital systems, including new 
EHR technology, are running into the tens of millions of dollars per 
hospital, and in some cases exceed a hundred million dollars. Most 
hospitals cannot make this kind of investment in their systems.
    (4) The short-to-medium term solution is a way to extract the data 
from these legacy systems at an affordable cost:

1.  M2R--Replicator (MUMPS to Relational):

    The concept is simple: migrate the data from a legacy Mumps 
database to a more modern relational database format (Oracle is one 
example of such a database). such as Oracle. The legacy application 
would continue to run and perform all of its tasks, while the data is 
now available in a usable database format. The process can be set up so 
that the data is automatically and continuously updated in the new 
relational database. Once in the relational database, then all kinds of 
tools can be used to sort, manage and analyze the data. This would be a 
way of extracting quality data for Medicaid/Medicare, for example.
    A detailed outline of this process was submitted by CAV Systems to 
TRICARE Management Activity in December 2007 in response to ``Joint 
DOD-VA Inpatient EHR RFI: W81XWH-08-RFI-EHR''.
    (5) The medium-to-long term solution is converting the legacy 
systems--the programs as well as the data--to prevailing technologies:
1.  JUMPS (Java from MUMPS):
    The concept is simple: create Java programs that are functionally 
identical to the MUMPS programs--and do so with a very high level of 
automated procedures and minimal manual intervention of IT 
professionals.
    A detailed outline of this alternative approach was submitted by 
CAV Systems Ltd to TRICARE Management Activity in December 2007 in 
response to ``Joint DOD-VA Inpatient EHR RFI: W81XWH-08-RFI-EHR''.
    (6) The viability and effectiveness of the CAV Systems' solutions 
has been demonstrated to work in the U.S. in one of the most 
intractable systems to work with--the Military Health System's legacy 
CHCS system.

1.  Proof of Concept (PoC)Project

    The Department of Defense's medical research arm, Telemedicine and 
Advanced Technology Research Center (TATRC), U.S. Army Medical Research 
and Materiel Command, located at Fort Detrick, Maryland, recently 
funded a Proof-of-Concept (PoC) project to validate the JUMPS 
technology [note: the M2R--Replicator technology is a subset of JUMPS 
so the PoC project was effectively validating both]. The Report of the 
results of the project was delivered to TATRC at the end of April 2008. 
Following are several quotes from the report:

          ``The JUMPS technology works as claimed by CAV 
        Systems. The JUMPS technology is scalable and can handle very 
        large M/Cache systems whose scope and complexity are similar to 
        those of CHCS.''
          ``The JUMPS migration process itself is 
        straightforward and the skills required to effectively use 
        JUMPS are easily acquired by IT professionals familiar with the 
        M/Cache environment and the Java/Oracle environment.''
          ``--JUMPS is the only technology and process 
        presently known to both parties that offers an automated 
        methodology for the delivery of functionally identical systems 
        from M/Cache to Java/Oracle, and to do so in relatively short 
        timeframes--months rather than years.''

2.  How can this new technology help VA/DoD interoperability/data-
        sharing issues?

    The most widely used database systems in today's world in almost 
all industries and all geographies are Oracle (from Oracle Corporation) 
and SQLServer (from Microsoft) in the commercial proprietary area, and 
MySQL and PostgreSQL in the Open Source sector.
    CAV Systems' solutions--M2R--Replicator and JUMPS--are designed to 
work with any of these databases. This enables data that is trapped in 
legacy MUMPS systems to be ``set free'' since the vast majority of 
modern software products are already designed to be used with these 
leading databases.
    The Military Health System presently encompasses two different 
systems--AHLTA with Oracle as its database technology and CHCS with 
MUMPS (or its proprietary version named Cache from InterSystems 
Corporation) as its database technology.
    The Veterans Administration likewise encompasses two different 
systems--VistA with MUMPS (or Cache) as its database technology and 
MyHealtheVet with Oracle as its database technology.
    Through the use of CAV Systems' solutions, all patient data will be 
in Oracle. This drastically simplifies the interoperability/data-
sharing issues.

3.  How this can be used as a national model?

    The pilot project conducted by TATRC shows that these technologies 
can be used to extract the data locked into the CHCS systems as well as 
to migrate the entire program to a modern language, JAVA. This same 
model can be used for Mumps systems across the country. A Successful 
implementation by VA and DoD of interoperability/data-sharing that 
combines legacy data (from MUMPS systems) with data from modern systems 
such as Oracle would demonstrate the capability to the medical 
community at large. It would demonstrate several factors, including the 
value to patients and doctors alike, short time frames to a functional 
data exchange, as well as the savings compared to alternative 
approaches.
    Since most commercial health information systems are still based on 
legacy MUMPS technology, the CAV Systems' set of solutions can bring 
similar benefits to the non-government sector of the healthcare 
community.
    These technologies can save taxpayers billions of dollars and years 
of work in building the national health infrastructure network.
    CAV Systems Ltd is an independent software house with 3 decades of 
experience and expertise in MUMPS. The aggregate MUMPS experience of 
the professional staff exceeds 250 man-years. It also has extensive 
experience and expertise in bridging the legacy world of MUMPS with the 
modern world of web-based systems and prevailing technologies such as 
Java and Relational Databases.
    CAV Systems Ltd is the only company offering an approach 
(``process'') and accompanying technology that automates the migration 
of very large legacy MUMPS systems to functionally identical Java/
Oracle systems that can be deployed on commodity yet powerful platforms 
based on prevailing systems such as Linux--and can do so in highly 
compressed timeframes (i.e. months, not years).

                                 
                        Beverly Miner, Statement
     My name is Beverly Miner, Vice President and Executive Director of 
the National E-Prescribing Patient Safety Initiative (NEPSI) for All 
scripts. All scripts is the leading provider of clinical software, 
connectivity and information solutions that physicians use to improve 
healthcare. The company's unique solutions inform, connect and 
transform healthcare, delivering improved care at lower cost. More than 
40,000 physicians and thousands of other healthcare professionals in 
clinics, hospitals and extended care facilities nationwide utilize All 
scripts to automate everyday tasks such as writing prescriptions, 
documenting patient care, managing billing and scheduling, and safely 
discharging patients, as well as to obtain key information and connect 
with important stakeholders in the healthcare system.
     The Committee is considering a bill which could bring healthcare 
into the modern age by encouraging the broad adoption and use of health 
information technology. The electronic prescribing program in the 
recently-passed Medicare bill--which encourages the use of e-
prescribing when a physician is providing services to a Medicare 
patient--is a great first step toward this same goal because e-
prescribing will introduce physicians and others to the benefits of all 
electronic health records (EHRs). However, more needs to be done on the 
e-prescribing front. Congress needs to make sure that healthcare 
providers who do not serve the Medicare population--those who serve 
Medicaid patients, children, and adults under 65--are e-prescribing. We 
must first jump this e-prescribing hurdle together before moving on to 
the other more complicated obstacles in our path to a comprehensive, 
fully interoperable Health IT system.
     Most importantly, we need to make sure that we are addressing the 
underserved market by providing federal funds for e-prescribing to our 
safety net providers. If the safety net is not e-prescribing, the 
patients it serves will not be able to receive the increased quality of 
care that comes with e-prescribing. The Health IT bill that is under 
consideration must include significant funding to help these healthcare 
providers get started e-prescribing.
     The benefits of e-prescribing are well recognized. E-prescribing 
ensures that crucial clinical information on patients and medications 
are delivered at the point-of-care, enabling physicians (and their 
staff) to make informed decisions regarding the treatment for their 
patients and automating workflow that increases efficiency and reduces 
errors.
     The Centers for Medicare and Medicaid Services (CMS) reported in 
November 2007 that a shift to e-prescribing ``could avoid more than two 
million adverse drug events annually, of which 130,000 are life 
threatening'' and ``has enormous potential to create savings in health 
care costs, through reduction of adverse drug events and in improved 
workflows. One recent study estimated the potential savings at $27 
billion per year in the United States.''
     The Congressional Budget office estimated that the Medicare e-
prescribing provisions, alone, would save the Federal Government $2.1 
billion over ten years. Imagine the savings if e-prescribing were 
adopted by the healthcare providers that are serving the rest of the 
nation.
     Yet, only about 2% of the estimated 1.47 billion prescription 
transactions in 2007 were transmitted electronically. And only about 6% 
of office-based physicians are e-prescribing. This presents a serious 
problem. In order to reduce avoidable medication errors--care providers 
need access to information from all physicians who are prescribing for 
that patient. E-Prescribing benefits will not be fully realized until 
it is adopted and utilized on a widespread basis.
     Therefore, in 2007 All scripts partnered with a number of key 
stakeholders--such as WellPoint, Aetna, Dell, Microsoft, Google, 
Sprint, and Cisco--to launch a nationwide initiative to provide an 
easy-to-use and secure internet-enabled e-prescribing solution free of 
charge to all healthcare professionals across the nation who are 
eligible to prescribe. This initiative, called the National E-
Prescribing Patient Safety Initiative (NEPSI), provides the software 
application, hosting, a drug interaction database and a medication 
database.
     Nevertheless, many physicians are not taking advantage of this 
free service. That is because the necessary investment in e-prescribing 
goes beyond the cost of software. Physicians face the likelihood of 
spending thousands of dollars on hardware, infrastructure, training, 
and practice management. They will need to invest a great deal of time 
and money to change their workflows to incorporate e-prescribing into 
their practices and convert their paper records.
     All scripts recommends that Congress provide federal funding 
through a demonstration program or targeted grant program that will 
provide funds to healthcare providers for hardware, infrastructure, 
training, and practice management. We recommend that those funds be 
targeted at healthcare providers who face the biggest financial 
challenge and who otherwise might be unwilling to adopt e-prescribing--
safety net and primary care providers. At a minimum, these funds should 
be distributed in the same years that federal funding is distributed 
under the Medicare e-prescribing program. Furthermore, in order to 
leverage the federal investment, Congress may want to consider 
providing additional funding to physicians who are willing to obtain 
their software for free from the private sector.
     Thank you for considering my testimony.

                                 
                       Deborah C. Peel, Statement
    Thank you for the opportunity to submit written testimony to the 
U.S. House of Representatives Committee on Ways and Means regarding 
health information technology legislation and the importance of 
privacy. We commend the hard work of this Committee and its staff.
    The testimony being submitted here is on behalf of Patient Privacy 
Rights (PPR), a national organization that educates consumers about the 
importance of health privacy, champions smart policies and 
technologies, and holds industry accountable to protect what's most 
valuable--our health, our families and our reputations. Patient Privacy 
Rights has members in every state in the nation. While PPR prefers to 
work collaboratively with providers and industry we are beholden only 
to consumers and patients. PPR also leads the bipartisan Coalition for 
Patient Privacy, representing over seven million Americans, who want 
their rights to control personal health information to be restored.
    As founder of PPR, I learned about the importance of privacy 
directly from my patients. A practicing physician in the field of 
psychiatry, I know effective treatment depends upon the trust 
established and maintained between doctor and patient. When I first 
entered private practice, people came and paid me cash on the 
barrelhead because they had lost jobs or their reputations were ruined 
when someone saw their health records that should not have.
    Sitting face to face with patients for over thirty years and 
hearing how their privacy has been violated made me much more attuned 
to protecting their privacy. It is that long-term, human contact that 
has made me so passionate about restoring privacy. Frankly, it is heart 
breaking to see the destruction caused when private, intimate 
information gets in the wrong hands. PPR, in operation for just a few 
years, hears daily from patients from every state in this nation, 
desperate for help and looking for justice.
    In this submitted testimony, we will reiterate why privacy is the 
lifeblood of effective healthcare and successful adoption of health IT. 
Additionally, we will suggest ways to ensure both progress with health 
IT and privacy for all Americans. Finally, we will focus some comments 
on H.R. 6357, the bill recently reported by the Energy and Commerce 
Committee.

The importance of privacy

    Privacy is about much more than minding one's own business. We 
believe that ``who'' can see, share or buy our most sensitive health 
information is a policy issue that deserves extensive public debate and 
a roll call vote. Our personal health information is worth billions of 
dollars. Continued open and easy access to that information is the  
goal of the insurance industry, large employers, data mining industry, 
drug companies, the for-profit research industry and others.
    The lack of privacy is harmful and can be deadly. Millions of 
Americans avoid doctors and delay medical care for fear their employers 
will find out, their insurers will drop them or a vast world of 
strangers will know their most intimate mental, physical, or genetic 
details.

          According to HHS, two million Americans with mental 
        illness do not seek treatment due to privacy concerns.\1\
---------------------------------------------------------------------------
    \1\ 65 Fed. Reg. at 82,779
---------------------------------------------------------------------------
          600,000 cancer victims do not seek early diagnosis 
        and treatment.\2\
---------------------------------------------------------------------------
    \2\ 65 Fed. Reg. at 82,777
---------------------------------------------------------------------------
          Millions of young Americans suffering from sexually 
        transmitted diseases do not seek diagnosis and treatment (1 in 
        4 teen girls are now infected with a STD).\3\
---------------------------------------------------------------------------
    \3\ 65 Fed. Reg. at 82,778
---------------------------------------------------------------------------
          The California Health Care Foundation found that 1 in 
        8 Americans have put their health at risk by engaging in 
        privacy-protective behavior: Avoiding their regular doctor--
        Asking a doctor to alter a diagnosis--Paying privately for a 
        test--Avoiding tests altogether.\4\
---------------------------------------------------------------------------
    \4\ CHCH Consumer Health Privacy Survey, June 2005
---------------------------------------------------------------------------
          The Rand Corporation found that 150,000 soldiers 
        suffering from Post-Traumatic Stress Disorder (PTSD) do not 
        seek treatment because of privacy concerns.\5\
---------------------------------------------------------------------------
    \5\ ``Invisible Wounds of War'', The RAND Corporation, p. 436 
(2008)

    Avoidance and delay in seeking health care costs society in real 
dollars, quality of care and life. Sadly, we have reached a point where 
some physicians find themselves having to choose between providing 
thorough, complete medical diagnosis and treatment and putting their 
patients' insurance coverage or even employment at risk if sensitive 
---------------------------------------------------------------------------
information is shared.

HIPAA

    Before proceeding with our recommendations for health IT 
legislation, we want to reiterate the need to reduce the deficiencies 
and close the loopholes in the Health Insurance Portability and 
Accountability Act (HIPAA). First, despite the fact that HIPAA requires 
more stringent privacy-protective state laws and medical ethics to 
prevail over the privacy `floor' in HIPAA, the opposite has occurred. 
This is all the more reason for federal law to ensure that what 
Americans say in the doctor's office, stays in the doctor's office. 
This expectation that the Hippocratic Oath means doctors will keep 
records private no longer holds true.
    Second, HIPAA regulations allowing broad access to personal health 
information for the purposes of treatment, payment and health care 
operations without consent have created not only a radical shift in the 
traditional relationship we have had with our trusted doctors, but 
created a vast, unregulated market that treats our most personal 
information as a commodity. Data mining and sale of health information 
is rampant. This was not the intent of Congress. In fact, clearly 
members of the Energy and Commerce committee intended to stop this 
practice with the inclusion of SEC. 312(d) in H.R. 6357. An excellent 
and timely example of this practice specific to prescription records 
was highlighted just last week by journalists at Business Week and the 
Washington Post (See ``They know what's in your medicine cabinet: how 
insurance companies dig up applicant's prescriptions and use them to 
deny coverage,'' Business Week by Chad Terhune, July 23, 2008 and 
``Prescription data used to assess consumers: records aid insurers but 
prompt privacy concerns,'' Washington Post by Ellen Nakashima, August 
4, 2008).
    Third, until the HIPAA loopholes are closed we are strongly opposed 
to extending HIPAA to cover personal health records (PHRs) and other 
non-HIPAA covered entities. While legislated policy is certainly needed 
to ensure privacy and security of PHRs and the other advances in 
technology, requiring these entities to comply with HIPAA would simply 
grant even more corporations the right to use protected health 
information without consent, facilitating even more data mining and 
sale of Americans' sensitive health records.
    Congress has an opportunity to correct the above mentioned 
deficiencies. We caution that any efforts to promote health IT without 
addressing the weaknesses in HIPAA will compromise the success of any 
the health IT system. A system without privacy will never produce the 
trust necessary to get the data needed for research, for quality 
improvement, for comparative effectiveness, to lower costs, and to save 
lives. Our mutual goal of progress and privacy is not only possible, it 
is the only way Americans will fully participate in health IT and share 
personal information. To achieve this goal we recommend the following 
specific measures for the committee's consideration.

Recommendations

    First, in H. R. 6357 the provisions in Sec 3002(b)(2)(B)(i) need to 
be strengthened in order to ensure individuals can segment sensitive or 
erroneous information in their electronic health records.
    For example, a radiologist does not need to see psychiatric 
records, nor does a podiatrist need to know about a pap smear. 
Moreover, if a patient's information is mistakenly entered in another 
patient's electronic medical record as a result of medical identity 
theft, that patient should be able to suppress that information by 
segmenting from the rest of their medical records, to avoid potentially 
catastrophic errors. As currently drafted, the reported version of 
PRO(TECH)T only requires that the Health IT Policy Committee consider 
and make recommendations on technologies that ensure segmentation. In 
the current bill, it is up to the Secretary to determine if a 
recommendation for segmentation shall in fact be adopted.
    Segmentation is already required for psychotherapy notes under 
HIPAA. The states require that several categories of information not be 
disclosed with the rest of general medical records without additional 
authorization, and federal law requires addiction treatment information 
to be disclosed only with specific authorization. Truly, any health IT 
system that fails to build segmentation into its design is outdated. 
Systems capable of segmenting sensitive information, offer Americans 
far greater privacy protections than those that do not. Technologies 
encouraged, supported and required by the Federal Government should 
promote and ensure innovation. Functionality to enable consumers to 
segment sensitive health information should be a policy required by 
Congress; the Secretary should be held accountable to implement 
policies--not make them.
    Second, strengthen the provisions in H. R. 6357 Sec 312(d) to 
ensure entities cannot share, sell, re-sell, or disclose electronic 
health information in any format without consent. The requirement to 
obtain consent before protected health information is used for health 
care operations is a welcome step forward. However, this provision has 
two serious limitations.
    (1) The definition of ``Electronic Medical Record'' is very 
limited. For example, it excludes prescriptions and laboratory data 
that are not created by doctors or staff at single institutions. Tying 
the consent requirement to this very limited definition of an EMR, will 
not prevent the use of the majority of protected health information for 
health care operations, which was PPR's understanding of the stated 
intent and purpose for adding this section to the bill.
    (2) The restriction on disclosures without consent should apply to 
every entity that may use protected health information, not just 
providers. In fact, providers are the least likely to use protected 
health information for healthcare operations. Other covered entities 
and business associates, including insurers, data miners, researchers, 
corporations and others are the primary ones that exploit this loophole 
in HIPAA.
    Third, we recommend including the NCVHS definition of privacy in 
the bill, ``health information privacy'' means an individual's right to 
control the acquisition, uses, or disclosures of his or her 
identifiable health data. The ``P'' in HIPAA does not stand for 
privacy. It is important for all stakeholders to speak the same 
language. The definition of privacy is just as essential as any of the 
other terms defined in this bill
    Fourth, we recommend the committee first establish a solid 
understanding of the actual uses of our personal health information in 
the marketplace. The health and health IT industry is a world clearly 
developing far faster than government regulations and standards. An 
essential part of this process should include investigations and 
documentation of the actual uses of our health information and the 
various markets that are sharing and selling our information today. 
With the exception of recent reports highlighting alarming rates of 
breaches, and dismal privacy and security within federal agencies, the 
public and Congress is frankly in the dark about the widespread under-
the-radar use of personal health information. Patient Privacy Rights 
urges the committee to include provisions requiring a GAO (or similar 
body) study on the following:

          The extent that Federal Government databases are 
        shared with other federal, state and local agencies.
          An accounting of all uses of personal health 
        information for treatment, payment and operations by entities 
        with federal health contracts.

    In addition, we recommend Sec 303(b) of H.R. 6357 be revised so 
that reports covering reported HIPAA violations and the outcomes of 
those investigations are submitted quarterly versus only once/year. 
Furthermore, a report of all breaches of PHI, the notification of the 
breach, corrective action and any history of repeat offenders should be 
delivered to Congress quarterly. An investigatory hearing into the 
health data mining industry and the sale of personal health information 
would also be a very worthy exercise, bringing to light the massive 
secret misuse of the nation's sensitive personal health information.
    Furthermore, clearly for privacy protections to be meaningful, they 
must be enforceable and enforced. We recommend that the RICO statute 
apply to entities that violate the law and improperly use, sell or 
share personal health information. Such entities should also be 
prohibited from winning any future federal contracts. Inclusion of a 
qui tam like provision, which authorizes private citizens to assist 
government prosecutors in enforcing the law, is also a proven mechanism 
to help accomplish the essential task of effective enforcement. Without 
it, prosecution of privacy law violations will rarely be a high 
priority.
    Thank you for the opportunity to present our concerns and 
recommendations to the committee on this critical issue. We strongly 
believe that if we ``build it right, they will come.'' If the 
electronic health information systems meet our citizens' privacy needs, 
all Americans, not just early adapters, will utilize such progressive 
tools and reap the potential rewards of health IT. We can and must 
ensure both progress and privacy. Americans need Congress to ensure 
that consent for treatment protects us as we come through the front 
door and laws preventing further disclosure and onward transfer 
protects our sensitive information from flowing out the back door. This 
is reasonable, achievable and will do worlds of good in this electronic 
health IT arena.

                                 
                       Jeffrey Kendal, Statement
    Thank you for the opportunity to submit this testimony on the vital 
topic of health information technology. Expanding the use of 
information technology in the health care sector has great potential to 
reduce costs and improve quality of care. We commend the Subcommittee 
for focusing its attention on this critical area.
    We have seen interoperable information technology systems drive 
tremendous improvements in customer service and cost containment in 
several industries over the last couple of decades. The banking 
industry and the travel industry are two good examples. They have 
utilized interoperable customer records and self-service technologies 
to dramatically improve the customer experience. The health care sector 
has been slower to adopt these technologies, but we are now seeing 
technology adoption start to pick up steam.
    The reason health IT is gaining momentum is because of its well-
established benefits:

          Reducing medical errors;
          Expanding care to hard-to-serve areas through 
        telemedicine;
          Restraining the growth in health care costs;
          Reducing wait times and unnecessary delays;
          Empowering patients and their physicians.

    All of these benefits are achievable for health care organizations, 
ranging from major medical centers to small town clinics. However, to 
maximize these benefits, it is critical that we make more progress on 
creating broadly accepted standards for interoperable electronic health 
records. Standardized EHRs are the key to unlocking the most 
significant benefits of health IT.
    A strong partnership between private industry and the Federal 
Government is necessary to create these standards. That is why we 
support the work of the National Coordinator for Health IT. We also 
support legislation being considered in both the House and the Senate 
to strengthen the role of the Coordinator. These bipartisan bills would 
also solidify the role of the IT and health care industries as partners 
in standards development, and provide funding for pilot projects in 
underserved areas.
    We hope that Congress will redouble its effort between now and 
adjournment to pass this legislation this year. We also hope that 
Congress will resist the temptation to add costly mandates that might 
have the unintended consequence of discouraging private sector 
investment in health IT systems. If Congress passes a balanced, 
technology-neutral bill this year, it will help kick-start the drive 
toward a standardized electronic health record.
    While the path to nationwide health IT adoption has been somewhat 
slow, a number of hospitals, clinics and private practices around the 
country have been early adopters, and they have found the benefits to 
be substantial. I will give you a brief example with which we are 
familiar.

Empowering Patients--Reducing Wait Times:

    The Medical Center of Central Georgia (MCCG) is a 600-bed acute 
care hospital that serves a 30-county area. MCCG is home to the Georgia 
Heart Center, which performs more than 1,100 heart surgeries each year. 
The hospital faced serious challenges in its patient intake and 
registration process. Registration bottlenecks led to some patients 
having to wait 20 to 25 minutes to see a registration clerk. Doctors' 
time was wasted because they had to wait while patients cleared the 
registration process. The process created stress for the staff and 
resulted in staff turnover.
     In 2007, the hospital began piloting information technology tools 
designed to create an electronic registration process. The system was 
built around electronic health records and self-service kiosks. The 
results have been eye-opening. Patient wait times have been reduced by 
about 20 minutes; doctors' time is better utilized; staff morale has 
improved; and patient satisfaction scores are higher.
     In addition, the hospital has been able to reduce costs by 
eliminating repetitive re-keying of information and scanning of paper 
documents. They have dramatically improved efficiency by streamlining 
processes for capturing patient information, submitting claims and 
managing medical records. At a time when declining reimbursements are 
pressuring hospitals to operate more efficiently, health IT systems are 
helping to reduce costs and free up staff to focus on patient care.
    As a result of this well-designed use of health IT, service to the 
patient has been improved and the hospital's resources are being better 
utilized--a win-win for everyone.

Conclusion:

    This example illustrates the benefits of one type of health IT--
self-service technologies. These technologies empower patients, reduce 
errors, shorten wait times, and eliminate repetitive data entry 
requirements. Demand for, and acceptance of, time-saving self-service 
technologies is growing rapidly. Our annual survey conducted this 
spring found that 89% of health-care customers are willing and able to 
take advantage of self-service systems. It also found that 46% of 
respondents considered increased privacy a key benefit of self-service 
technologies.
    This is just one type of health IT. There are many other beneficial 
health IT systems, including e-prescribing to reduce dangerous 
medication errors, and tele-medicine to expand health care access.
    The benefits and savings associated with health IT investments are 
compelling. Electronic health records and the health IT systems that 
they empower will help to improve patient safety and rein in the high 
cost of health care. Congress can help foster continued adoption of 
health IT by:

          Passing Health IT legislation this year;
          Avoiding technology mandates that discourage 
        investment in new technologies;
          Avoiding other types of mandates that may discourage 
        investment in health IT systems; and
          Conducting regular oversight of the process of 
        establishing health IT standards.


    Thank you again for the opportunity to submit this testimony, and 
thank you for the constructive role you are playing in helping to 
promote the benefits of health IT. I would be happy to provide any 
additional information that would be helpful.

                                 
                     John J. Castellani, Statement
    Business Roundtable is an association of 160 chief executive 
officers of leading U.S. companies with $4.5 trillion in annual 
revenues and more than 10 million employees. Member companies comprise 
nearly a third of the total value of the U.S. stock markets and 
represent over 40 percent of all corporate income taxes paid to the 
Federal Government. Collectively, Business Roundtable companies 
returned one hundred fourteen billion dollars in dividends to 
shareholders and the economy in 2006. The goal of Business Roundtable's 
public policy priorities is to ensure a vibrant economy and a 
competitive workforce. High health care costs are inhibiting job 
creation, hurting our ability to compete in global markets and 
straining the household incomes of many Americans. For Business 
Roundtable CEOs, health care costs are the number one cost pressure 
they face.
    Business Roundtable companies provide health care coverage to more 
than 35 million Americans. We believe an affordable, accessible, high-
quality health care system is of critical importance not only to 
Roundtable companies but to all Americans. Health information 
technology (HIT) is an essential component of a high quality 21st 
century health care system that would promote efficiencies, reduce 
errors and provide the technological platform to assess the quality and 
value of health care.
    To advance our health system, the health care industry needs to 
invest in and deploy HIT. In order for this to happen the industry 
needs to know the rules will not change and that is why Congress must 
act. Four things must be done at the federal level:

          Establish federal leadership for a public-private 
        process to set standards;
          Offer financial incentives to encourage the adoption 
        of HIT;
          Educate Americans on the value of electronic health 
        records and information on the quality of providers; and
          Address privacy and security questions as the system 
        is deployed.

    Our health care system is one of the few segments of the American 
economy that has not been transformed by modern, efficient information 
technology. This is not just inconvenient--it's costly and, in some 
cases, even lethal. An estimated 98,000 people die each year from 
medical errors, many of which might have been prevented with accurate 
and up-to-date electronic records. According to the RAND Corporation, 
widespread adoption of health IT has the potential to save as much as 
$165 billion a year from efficiencies and improved health outcomes.
    When widely implemented, information technology will deliver a 
whole new dimension of choice, convenience and control to America's 
health care consumer. Patients will be able to access their medical 
histories, underserved communities in rural areas and inner cities will 
enjoy greater access to health care, adult children will be better able 
to care for their aging parents from far away, and doctors will be able 
to better monitor their patients.
    We encourage the Committee to allow the adoption of HIT in the 
Medicare program. In June 2007, Business Roundtable released 
``Principles for Reform,'' which includes the principle that our health 
care system should promote and reward quality performance and the use 
of HIT. We recognize that payers in our health care system may need 
some incentives, either increased reimbursement or grants and loans, to 
encourage the adoption of health information technology.
    We also applaud the introduction of HIT legislation by several 
leaders in Congress including: Energy & Commerce Chairman John Dingell 
(D-MI) and Ranking Member Joe Barton (R-TX) for their introduction of 
H.R. 6357, the bipartisan ``Protecting Records, Optimizing Treatment, 
and Easing Communication through Health Care Technology Act,'' or 
``PRO(TECH)T Act;'' Congresswoman Anna Eshoo (D-CA) and Congressman 
Michael Rogers (R-MI), for the introduction of H.R. 3800, the 
bipartisan ``Promoting Health Information Technology Act;'' and the 
Senate's bipartisan S. 1693 ``Wired for Health Care Quality Act.''
    These bills would establish the foundation in law that is required 
for the widespread deployment of health IT. With this foundation, the 
adoption of health information technology would be accelerated and our 
U.S. health care system would become more efficient and effective which 
would benefit all Americans.
    Business Roundtable CEOs have joined in a ``Call to Action'' 
(Divided We Fail) with AARP, the Service Employees International Union 
(SEIU) and the National Federation of Independent Business (NFIB) to 
engage the American people, businesses, non-profit organizations and 
elected officials in finding bipartisan solutions like health IT to 
ensure affordable, quality health care for all. Congress, the 
Administration, the health care industry and the public are united 
behind HIT, and the Roundtable has made HIT legislation our number-one 
health care reform priority for 2008.
    Congress has the opportunity to take a big first step toward the 
goal of an affordable, accessible, high-quality 21st century health 
care system. We urge all members of Congress to pass legislation 
similar to the bills cited above that can be signed into law by the 
President during this Congress.

                                 
        The Computing Technology Industry Association, Statement
Introduction

    Chairman Stark, Ranking Member Camp, and Members of the 
Subcommittee, thank you for holding this important hearing to explore 
options of promoting of health information technology (HIT). My name is 
Roger J. Cochetti and I am submitting testimony on behalf of the 
Computing Technology Industry Association (CompTIA) representing our 
20,000 member companies.
    While nearly every industry has digitized records and 
communications, the health care industry remains in the analog, pen-
and-paper world. Daily, there are new breakthroughs in medical imaging 
technology, yet the orders for such exams remain hand-written. The 
current regime of paper records is costly, inefficient, unsecure, and 
frequently impedes patients from receiving best care possible.
    This is a real issue affecting the cost and quality of health care 
in America, and this issue is in urgent need of an immediate response. 
We believe your efforts to focus both congressional and public 
attention on this issue are most important.

CompTIA Overview

    The Computing Technology Industry Association represents the 
business interests of the information technology industry. For over 25 
years, CompTIA has provided research, networking, and partnering 
opportunities to its over 10,000, mostly-American, member companies. 
Nearly 75% of our membership is comprised of American Value Added 
Resellers, or VARs. These small, system integrators set up and maintain 
computer systems and networks for small businesses--including medical 
practices. An estimated 32,000 American VARs sell some $43 billion 
dollars worth of computer hardware, software, and services--mostly to 
the small businesses that drive the American economy. This means that 
around one-third of the computer hardware and software sold in the U.S. 
today is sold by VARs.
    As further background, in addition to representing the interests of 
VARs, CompTIA also works to provide global policy leadership for the IT 
industry through our headquarters in Chicago and our public policy 
offices in Washington, Brussels, Hong Kong, and Sao Paulo.
    Finally Mr. Chairman, for most people who work with computer 
technology, CompTIA is probably best known for the non-policy-related 
services that it provides to advance industry growth through standards, 
professional certifications, industry education, and business 
solutions. In order to most effectively serve the industry and our 
members, CompTIA has developed specialized initiatives and programs 
dedicated to major areas within the IT industry.
    Today, over one million IT professionals--mostly American 
technology workers--possess one or more CompTIA certifications; and 
each month between 10,000 and 15,000 American IT workers take one or 
more of the CompTIA certification exams.

The Issue: Cost vs. Benefit

    As the Committee is well aware, the benefits of HIT--ranging from 
e-prescribing to portable, interoperable electronic health records--are 
far reaching. A RAND study in 2005 estimated that HIT could yield an 
annual net savings to the health care sector of about $80 billion per 
year if all providers and hospitals adopted health information 
technology and used it appropriately.\1\ With total spending for health 
care at about $2 trillion per year, this represents a 4% savings. These 
savings would be the result of better administration of scheduling, 
coordination, and billing, better utilization of nurses--who could 
increase the portion of their time with patients as opposed to 
administrative work, increased safety, reduced hospital stays, and more 
efficient drug treatments. All of these benefits lead to the most 
important benefit of HIT, improved patient care. Portable, 
interoperable electronic health records (EHRs) will reduce medical 
errors, increase collaboration amongst physicians, and improve disease 
prevention and management.
---------------------------------------------------------------------------
    \1\ Hillestad R, Bigelow J, Bower A, Girosi F, Meili R, Scoville R, 
and Taylor R, ``Can Electronic Medical Record Systems Transform 
Healthcare? An Assessment of Potential Health Benefits, Savings, and 
Costs,'' Health Affairs, Vol. 24, No. 5, September 14, 2005.
---------------------------------------------------------------------------
    Unfortunately, approximately only 4 percent of physicians have 
fully functional EHR systems and only 13 percent have even basic EHR 
systems.\2\ It is significant to note that physicians who practiced in 
groups of at least 50 were three times more likely as those in very 
small practices (three doctors or less) to have a basic EHR system.\3\ 
Clearly, practice size impacts HIT uptake and should be addressed in 
any legislative solution.
---------------------------------------------------------------------------
    \2\ ``Physician Adoption of Electronic Health Records Still 
Extremely Low, but Medicine May Be At a Tipping Point,'' Health 
Information Technology Adoption Initiative press release, June 18, 
2008. http://hitadoption.org/
index.php?module=News&id=cntnt01&cntnt01action=
detail&cntnt01articleid=4&cntnt01returnid=30
    \3\ Ibid.
---------------------------------------------------------------------------
    Other impediments to uptake include cost in time and money, 
concerns about liability, lack of trained personnel, hesitance to 
change, concern about standards, and the fact that doctors bear the 
brunt of the cost but patients and payors receive most of the benefit. 
Purchasing and installing an electronic prescribing system costs a 
practice several thousand dollars and implementing a full EHR system 
costs tens of thousands of dollars. Additionally, a practice must bear 
the cost of downtime required to install the system and train 
employees, as well as annual maintenance and any new liabilities. While 
a practice can be back online at full capacity in a short time-period, 
the initial estimates can be daunting. In addition to being hesitant to 
change, the possibilities of transitioning to a new system before all 
technical standards have been established or creating a new area of 
liability gives physicians further pause. Finally, if a practice makes 
it to the point of full implementation, the cost savings highlighted 
above are not captured by the physicians, but rather the payors. As 
such there is little motivation for individual doctors and smaller 
medical practices to implement HIT that could have a transformative 
impact on health care.

Solutions

    CompTIA was glad to see positive first steps in promoting HIT when 
Congress included e-prescribing provisions in the recently passed 
``Medicare Improvements for Patients and Providers Act of 2008'' (P.L. 
110-275). Both lives and money will be saved as medication errors from 
incorrect dosages, allergies, and negative interactions are decreased. 
However, this was only the first of many necessary steps to promote 
broad implementation of HIT.
    In order to succeed in establishing broad, portable, interoperable 
HIT, medical care providers--particularly small providers--must be 
encouraged to implement and maintain HIT systems in their practices. 
HIT will not be universally successful unless it is adopted by the 
broadest health care provider group--the small health care 
practitioner. Clearly, the predominant obstacle for this group will be 
the costs of purchase, installation, and maintenance of a HIT system 
for their practice. In this regard, CompTIA continues to call for 
incentives that will enable small health care providers to join in the 
HIT evolution.
    In his testimony, Dr. Orszag explained that ``carrots'' only 
benefit those already on the verge of implementing HIT, whereas sticks 
will influence behavior throughout the medical industry. While this may 
be true, it does not address the fact that smaller practices face ever-
tightening profit margins and cannot rationalize such a large 
investment with such a little return. It is imperative that the 
Committee consider who pays the cost and who bears the benefit of 
implementing HIT. Doctors and practices cannot bear the cost of 
``sticks'' without the benefit of ``carrots'' as well. CompTIA has long 
supported tax credits for physicians that implement HIT. As the 
Committee develops draft legislation, they must consider the cost to 
physicians, address the concerns of both large and small practices, and 
consider other impediments, such as liability.

Conclusion

    The cost of health care is growing astronomically. HIT could be a 
valuable tool in curbing some of the costs, while improving health care 
quality and security but broad implementation will remain a pipe dream 
until there are financial incentives in place for doctors and small 
practices to implement systems and the standards for definitions, 
interoperability, and privacy are addressed. As the Committee develops 
legislation, we encourage you to include financial incentives for 
uptake--especially for small practices--and further the standards 
discussions.
    CompTIA is hopeful that technology will revolutionize health care 
through HIT in the same way technology and digitization has 
revolutionized other industries. We are confident that robust, 
interoperable HIT systems will lead to better patient care and cost 
savings. We thank you for the opportunity to voice our concerns and 
recommendations, and look forward to reading draft legislation as soon 
as it is available.

                                 

